----- Original Message ----- From: "Laurence F. Sheldon, Jr." <larrysheldon@cox.net> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 10:49 PM Subject: Re: sniffer/promisc detector
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode
or
sniffing traffic?
I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that "had to" have been stolen.
In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing. It can also be worthwhile setting up a machine on a switch to detect non-broadcast traffic that isn't for it - sometimes older switches get 'leaky' when they shouldn't be used. I'm not sure if it's still the case, but it used to be the case that when Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. Sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet). Some tools that google turned up (haven't tried them myself): http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html http://www.packetstormsecurity.org/sniffers/antisniff/ Apparently Man In The Middle attacks can also be detected by measuring the latency under different traffic loads, but I haven't looked to much into that. Sam