On Mar 20, 11:49*am, PaulusJrLz wrote:
On Mar 9, 11:27*pm, Karthik Balaguru
wrote:

Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru

One indicator of sniffer activity is a lot of DNS requests from the
sniffer.
This detection is not always effective, since sniffer's DNS resolution
can be turned off.


I think that is how antisniff has been played down
by some snifferes.

I have been searching for these tools that help
in finding the remote systems in promiscuous mode
in a network. I did come across other tools that
help in detection of a system in promiscuous mode
such as the following-

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

3. promisc.c
http://seclists.org/nmap-hackers/199.../promisc_c.bin
Determines the machine on which it is run is
in promisc mode.
This is similar to "ifconfig -a|grep PROMISC" :-)
But,this does not help remote machine(sniffer)
detection :-(

4. ifstatus
ftp://ftp.cerias.purdue.edu/pub/tool...tus-4.0.tar.gz
Checks and reports the network interfaces on the
system reports any that are in debug or
promiscuous mode - Not suitable for remote sniffer
detection :-(

5. Antisniff
So antisniff appears that it be tricked out if
kernel 2.2.10 is used or if DNS lookup test is
avoided or if the sniffing is not done above an
average network traffic limit. And it seems there
is an equally interesting 'Anti-Antisniff Sniffer'
to play down the antisniff utility :-(

But, I am not sure if Sentinel helps in detection
of remote promiscous mode(Sniffer) even in the
case of linux kernel 2.2.10 ! ?

Thx in advans,
Karthik Balaguru

On Mar 20, 11:49*am, PaulusJrLz wrote:
On Mar 9, 11:27*pm, Karthik Balaguru
wrote:

Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru

One indicator of sniffer activity is a lot of DNS requests from the
sniffer.
This detection is not always effective, since sniffer's DNS resolution
can be turned off.


I think that is how antisniff has been played down
by some snifferes.

I have been searching for these tools that help
in finding the remote systems in promiscuous mode
in a network. I did come across other tools that
help in detection of a system in promiscuous mode
such as the following-

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

3. promisc.c
http://seclists.org/nmap-hackers/199.../promisc_c.bin
Determines the machine on which it is run is
in promisc mode.
This is similar to "ifconfig -a|grep PROMISC" :-)
But,this does not help remote machine(sniffer)
detection :-(

4. ifstatus
ftp://ftp.cerias.purdue.edu/pub/tool...tus-4.0.tar.gz
Checks and reports the network interfaces on the
system reports any that are in debug or
promiscuous mode - Not suitable for remote sniffer
detection :-(

5. Antisniff
So antisniff appears that it be tricked out if
kernel 2.2.10 is used or if DNS lookup test is
avoided or if the sniffing is not done above an
average network traffic limit. And it seems there
is an equally interesting 'Anti-Antisniff Sniffer'
to play down the antisniff utility :-(

But, I am not sure if Sentinel helps in detection
of remote promiscous mode(Sniffer) even in the
case of linux kernel 2.2.10 ! ?

Thx in advans,
Karthik Balaguru

2010-03-20, 01:59(-07), Karthik Balaguru:
[...]
1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP. There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.

Probably same with

sudo ip addr flush dev eth0

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.

--
Stéphane

2010-03-20, 01:59(-07), Karthik Balaguru:
[...]
1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP. There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.

Probably same with

sudo ip addr flush dev eth0

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.

--
Stéphane

On Mar 20, 3:28*pm, Stephane CHAZELAS
wrote:
2010-03-20, 01:59(-07), Karthik Balaguru:
[...]

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP.

Okay . Yeah, I analyzed it and it appears just like
as you conveyed - Passive Sniffers in promiscuous
modes(Remote) can be detected only if they are on
an interface with a configured IP address !

There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.


:-(
Interesting to know that wireshark or other sniffers
can be used on an interface that hasn't got any IP
address configured.

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

Probably same with

sudo ip addr flush dev eth0


:-(
It appears that there is NO method to detect passive sniffing
unless the sniffer does not take care of things like hiding
IP address / using a proper flawless OS.

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.


True that there might not be much systems that use pre-2.2.10
unless upgraded. So, it is difficult to determine the presence
of sniffer in networks in such a case.

So, in brief - NO METHOD to detect Passive Sniffing :-(
That is, It seems that unless there is a flaw in the operating
system similar to that of TCP/IP in pre-2.2.10 linux kernel, it
is not possible to determine the presence of sniffers performing
passive sniffing in the network.

Karthik Balaguru

On Mar 20, 3:28*pm, Stephane CHAZELAS
wrote:
2010-03-20, 01:59(-07), Karthik Balaguru:
[...]

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP.

Okay . Yeah, I analyzed it and it appears just like
as you conveyed - Passive Sniffers in promiscuous
modes(Remote) can be detected only if they are on
an interface with a configured IP address !

There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.


:-(
Interesting to know that wireshark or other sniffers
can be used on an interface that hasn't got any IP
address configured.

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

Probably same with

sudo ip addr flush dev eth0


:-(
It appears that there is NO method to detect passive sniffing
unless the sniffer does not take care of things like hiding
IP address / using a proper flawless OS.

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.


True that there might not be much systems that use pre-2.2.10
unless upgraded. So, it is difficult to determine the presence
of sniffer in networks in such a case.

So, in brief - NO METHOD to detect Passive Sniffing :-(
That is, It seems that unless there is a flaw in the operating
system similar to that of TCP/IP in pre-2.2.10 linux kernel, it
is not possible to determine the presence of sniffers performing
passive sniffing in the network.

Karthik Balaguru

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

How about running whireshark while hiding from people
who are trying to find people running Wireshark?

--
These are my opinions, not necessarily my employer's. I hate spam.

On Mar 21, 11:14*am, (Hal
Murray) wrote:
But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

How about running whireshark while hiding from people
who are trying to find people running Wireshark?


:-) :-)
I had that in mind !
But, Is it only for that reason ? Are there no other scenarios ?

Thx in advans,
Karthik Balaguru

On Mar 21, 11:14*am, (Hal
Murray) wrote:
But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

How about running whireshark while hiding from people
who are trying to find people running Wireshark?


:-) :-)
I had that in mind !
But, Is it only for that reason ? Are there no other scenarios ?

Thx in advans,
Karthik Balaguru

On Mar 9, 10:40*pm, Jeff Liebermann wrote:
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru

wrote:
How to determine the presence of wireshark in a network ?

Look for NIC cards and wireless devices running in promiscuous mode.

Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network .

No. *A sniffer is totally passive.


Agreed, sniffer is totally passive ! On analyzing various
internet links and also discussions, i understand that
that unless the sniffer does not take care of things like
hiding IP address / there is a flaw in the operating system
similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
possible to determine the presence of sniffers performing
passive sniffing in the network. The option of using
IPSec for all intranet traffic appears to be the main solution
against passive sniffing.

Though some OS can restrict that only admins can install
certain type of sniffers, i think that is not enough as
sometimes it can be via admin too.
I wonder, why don't the various OS support the detection
of Sniffers so that if a user is running it in the network, the
OS might intimate it to the admins ? Just eager to know ,
is it not possible for the OS to detect a sniffer running on it
and intimate it ?

I think, the various OS(TCP/IP) in network should be
configurable such that if there is a sniffer running on it, it
would be able to intimate to a set of users(admin) in the
network.

The OS here can be either Linux / Windows.
Are there any such tools already available ?

Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

AntiSniff:
http://www.nmrc.org/pub/review/antisniff-b2.html
You may have trouble finding this one.

PromqryUI in DOS and Windowfied versions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83b....
http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa....
Only works for detecting sniffers running on a Windoze system. *I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

I've also noticed that most casual users of sniffers running on
laptops like to boot their operating system before firing up their
sniffers. *The laptop will usually belch a few DHCP broadcasts and ARP
requests before disappearing into promiscuous mode. *These initial
packets can be detected with ArpWatch:
http://24h.atspace.com/it/security/arpwatch.htm

The problem is not identifying the presence of the sniffer, it's
identifying which machine is actually doing the sniffing. *The MAC
address is a clue, but given the ease of MAC address spoofing, that
information is often useless. *Even if I delivered the MAC address on
a silver platter, identifying which one of the potentially hundreds of
similar computers in the room or building might be difficult.

--

Thx in advans,
Karthik Balaguru