19 Jan
2004
19 Jan
'04
11:21 a.m.
On Sat, 17 Jan 2004, Sam Stickland wrote:
In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing.
My machines all scream bloody murder when an IP address has more than one MAC or even if the IP changes MAC addresses. One of the suggestions mailed to me off list: http://sniffdet.sourceforge.net/ I haven't looked in to it yet, but figured I would keep all of the suggestions in public view. Gerald