- Posts: 14
- Thank you received: 0
How to detect sniffers within and outside a network.
20 years 5 days ago #6014
by LostBoy
How to detect sniffers within and outside a network. was created by LostBoy
In reply to a query on how to detect sniffers, one of the things mentioned was to ping the suspected ip and a slight variation of its MAC address.
My problem is I can't seem to figure out/understand how one can detect a packet sniffer by pinging the ip address and a slight change of the suspected MAC address neither do I know/understand how to send arp requests to the suspected sniffer. When I ping an ip address followed by its MAC (or a slight variation of its MAC), I get bad parameter. HELP! I think I am being really stupid so could you tell me or redirect me to an idiot's guide on how to do this.
My problem is I can't seem to figure out/understand how one can detect a packet sniffer by pinging the ip address and a slight change of the suspected MAC address neither do I know/understand how to send arp requests to the suspected sniffer. When I ping an ip address followed by its MAC (or a slight variation of its MAC), I get bad parameter. HELP! I think I am being really stupid so could you tell me or redirect me to an idiot's guide on how to do this.
- FallenZer0
- Offline
- Premium Member
Less
More
- Posts: 259
- Thank you received: 0
20 years 5 days ago #6016
by FallenZer0
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
Replied by FallenZer0 on topic Re: How to detect sniffers within and outside a network.
--Check the below link.
www.robertgraham.com/pubs/sniffing-faq.html
See the section *How Can I Detect A Packet Sniffer*.
www.robertgraham.com/pubs/sniffing-faq.html
See the section *How Can I Detect A Packet Sniffer*.
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
20 years 4 days ago #6032
by Rockape
Replied by Rockape on topic Re: How to detect sniffers within and outside a network.
I think there are a few things to deal with here, so lets try:
"My problem is I can't seem to figure out/understand how one can detect a packet sniffer by pinging the ip address and a slight change of the suspected MAC address"
Unless you happen to have a complete list of every device on your network (including IP address and Mac address), you won't easily be able to tell if this device should or should not be on the network. Sniffer programs can sit on any type of computer device (Laptop/Desktop) and must have a valid IP address and Subnet etc. So like I said above, unless you know every device on your network, finding a sniffer is difficult. The other thing to consider is a sniffer is just that, a sniffer. It sits on the network and just watches what goes past, and takes a copy. It doesn't interact with the network.
"neither do I know/understand how to send arp requests to the suspected sniffer."
Again, see above. In addition, arp requests are usually sent by devices to find out how to get to/from a specific device. The arp cache is normally a dynamic list of addresses. If you want to see what one looks like, then try the following: One of your PCs, ping a know device. Once you have had a response, type the following command: arp -a. This will show you all the devices your PC is aware of.
Finally, MAC addresses are hardcoded onto every device. So, although an IP address can be changed (by administrators etc), the mac address is constant. So, pinging an IP address and different MAC address doesn't seem like a good idea.
I hope that made some kind of sense, but it is still early(ish) in the morning, and my brain isn't fully awake yet!!!
"My problem is I can't seem to figure out/understand how one can detect a packet sniffer by pinging the ip address and a slight change of the suspected MAC address"
Unless you happen to have a complete list of every device on your network (including IP address and Mac address), you won't easily be able to tell if this device should or should not be on the network. Sniffer programs can sit on any type of computer device (Laptop/Desktop) and must have a valid IP address and Subnet etc. So like I said above, unless you know every device on your network, finding a sniffer is difficult. The other thing to consider is a sniffer is just that, a sniffer. It sits on the network and just watches what goes past, and takes a copy. It doesn't interact with the network.
"neither do I know/understand how to send arp requests to the suspected sniffer."
Again, see above. In addition, arp requests are usually sent by devices to find out how to get to/from a specific device. The arp cache is normally a dynamic list of addresses. If you want to see what one looks like, then try the following: One of your PCs, ping a know device. Once you have had a response, type the following command: arp -a. This will show you all the devices your PC is aware of.
Finally, MAC addresses are hardcoded onto every device. So, although an IP address can be changed (by administrators etc), the mac address is constant. So, pinging an IP address and different MAC address doesn't seem like a good idea.
I hope that made some kind of sense, but it is still early(ish) in the morning, and my brain isn't fully awake yet!!!
20 years 4 days ago #6033
by gl0bal
Replied by gl0bal on topic Re: How to detect sniffers within and outside a network.
Hi lostboy
From what I understand you can detect some sniffers by searching for NICs that are in 'promiscuous' mode. l0pht created a tool called AntiSniff that runs on the Windows platform.
There is some good info here
www.securiteam.com/tools/AntiSniff_-_fin...r_local_network.html
The links to www.l0pht.com/antisniff/ no longer work but you may be able to get a copy by going to www.astalavista.com and searching for antisniff. Unfortunately astalavista.com was down when I visited so I cannot confirm this.
There is a thread talking about your type of situation here
www.derkeiler.com/Newsgroups/microsoft.p...ty/2004-01/1621.html
From what I understand you can detect some sniffers by searching for NICs that are in 'promiscuous' mode. l0pht created a tool called AntiSniff that runs on the Windows platform.
There is some good info here
www.securiteam.com/tools/AntiSniff_-_fin...r_local_network.html
The links to www.l0pht.com/antisniff/ no longer work but you may be able to get a copy by going to www.astalavista.com and searching for antisniff. Unfortunately astalavista.com was down when I visited so I cannot confirm this.
There is a thread talking about your type of situation here
www.derkeiler.com/Newsgroups/microsoft.p...ty/2004-01/1621.html
20 years 3 days ago #6041
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: How to detect sniffers within and outside a network.
1. MAC addresses can be changed
2. Packets can be crafted from the data link layer up
3. I don't remember the exact methodology for detecting sniffers but it was something along the lines of the sniffer replying to some particular packet...
2. Packets can be crafted from the data link layer up
3. I don't remember the exact methodology for detecting sniffers but it was something along the lines of the sniffer replying to some particular packet...
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.132 seconds