On Mar 9, 10:40*pm, Jeff Liebermann wrote:
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru

wrote:
How to determine the presence of wireshark in a network ?

Look for NIC cards and wireless devices running in promiscuous mode.

Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network .

No. *A sniffer is totally passive.


Agreed, sniffer is totally passive ! On analyzing various
internet links and also discussions, i understand that
that unless the sniffer does not take care of things like
hiding IP address / there is a flaw in the operating system
similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
possible to determine the presence of sniffers performing
passive sniffing in the network. The option of using
IPSec for all intranet traffic appears to be the main solution
against passive sniffing.

Though some OS can restrict that only admins can install
certain type of sniffers, i think that is not enough as
sometimes it can be via admin too.
I wonder, why don't the various OS support the detection
of Sniffers so that if a user is running it in the network, the
OS might intimate it to the admins ? Just eager to know ,
is it not possible for the OS to detect a sniffer running on it
and intimate it ?

I think, the various OS(TCP/IP) in network should be
configurable such that if there is a sniffer running on it, it
would be able to intimate to a set of users(admin) in the
network.

The OS here can be either Linux / Windows.
Are there any such tools already available ?

Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

AntiSniff:
http://www.nmrc.org/pub/review/antisniff-b2.html
You may have trouble finding this one.

PromqryUI in DOS and Windowfied versions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83b....
http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa....
Only works for detecting sniffers running on a Windoze system. *I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

I've also noticed that most casual users of sniffers running on
laptops like to boot their operating system before firing up their
sniffers. *The laptop will usually belch a few DHCP broadcasts and ARP
requests before disappearing into promiscuous mode. *These initial
packets can be detected with ArpWatch:
http://24h.atspace.com/it/security/arpwatch.htm

The problem is not identifying the presence of the sniffer, it's
identifying which machine is actually doing the sniffing. *The MAC
address is a clue, but given the ease of MAC address spoofing, that
information is often useless. *Even if I delivered the MAC address on
a silver platter, identifying which one of the potentially hundreds of
similar computers in the room or building might be difficult.

--

Thx in advans,
Karthik Balaguru

Karthik Balaguru wrote:

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

If wireshark is receiving traffic from a mirrored switch port on a separate
dedicated link. You don't need any IP address on that interface.

Karthik Balaguru wrote:

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

If wireshark is receiving traffic from a mirrored switch port on a separate
dedicated link. You don't need any IP address on that interface.

On 21/03/10 01:42, Karthik Balaguru wrote:

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

Let's say you're interested in traffic to/from Host A, but it has no
packet capture mechanism. You have a switch that can do port mirroring
[aka span port] and Host B with two network interfaces. You would mirror
to the spare interface of Host B, and in that case, the spare interface
you're mirroring to would not need an IP address.

Actually, a less contrived scenario [because it was me doing it this
past week] would be trying to work out the network address when the
telco has installed and provisioned a circuit with ethernet
presentation, but despite repeated requests, not given any network
address or subnet mask details. I plugged my laptop into their edge
router, ran 'tcpdump -n -i eth0' and within a couple of seconds I could
see ARP requests for a range of IP addresses. I was thus able to guess
the IP addresses in use on the circuit, and configured the customer's
edge router accordingly.

--
http://ale.cx/ (AIM:troffasky) )
10:43:20 up 45 days, 11:28, 4 users, load average: 0.03, 0.10, 0.09
It is better to have been wasted and then sober
than to never have been wasted at all

On 21/03/10 01:42, Karthik Balaguru wrote:

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

Let's say you're interested in traffic to/from Host A, but it has no
packet capture mechanism. You have a switch that can do port mirroring
[aka span port] and Host B with two network interfaces. You would mirror
to the spare interface of Host B, and in that case, the spare interface
you're mirroring to would not need an IP address.

Actually, a less contrived scenario [because it was me doing it this
past week] would be trying to work out the network address when the
telco has installed and provisioned a circuit with ethernet
presentation, but despite repeated requests, not given any network
address or subnet mask details. I plugged my laptop into their edge
router, ran 'tcpdump -n -i eth0' and within a couple of seconds I could
see ARP requests for a range of IP addresses. I was thus able to guess
the IP addresses in use on the circuit, and configured the customer's
edge router accordingly.

--
http://ale.cx/ (AIM:troffasky) )
10:43:20 up 45 days, 11:28, 4 users, load average: 0.03, 0.10, 0.09
It is better to have been wasted and then sober
than to never have been wasted at all

On Sat, 20 Mar 2010 18:42:18 -0700 (PDT), Karthik Balaguru
wrote:

On Mar 20, 3:28*pm, Stephane CHAZELAS
wrote:
2010-03-20, 01:59(-07), Karthik Balaguru:
[...]

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP.

Okay . Yeah, I analyzed it and it appears just like
as you conveyed - Passive Sniffers in promiscuous
modes(Remote) can be detected only if they are on
an interface with a configured IP address !

There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.


:-(
Interesting to know that wireshark or other sniffers
can be used on an interface that hasn't got any IP
address configured.

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

at least 4.

1 - you do not pollute a general capture file with crud from the
capture PC (this is generally true - eg on a "real" Sniffer).

It makes figuring out what is going on from scratch easier.

2 - if you are connecting to say a customer network then you do not
get issues with the capture PC trying to join the local M$oft AD
domain, or catching a local propagating net virus.

3. If you run IP on the interface some firewall configs will try to
block IP of various types to "improve" the PC security.......

4. you may not use IP on this network (much more rare recently, but
used to be common)

Probably same with

sudo ip addr flush dev eth0


:-(
It appears that there is NO method to detect passive sniffing
unless the sniffer does not take care of things like hiding
IP address / using a proper flawless OS.

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.


True that there might not be much systems that use pre-2.2.10
unless upgraded. So, it is difficult to determine the presence
of sniffer in networks in such a case.

So, in brief - NO METHOD to detect Passive Sniffing :-(
That is, It seems that unless there is a flaw in the operating
system similar to that of TCP/IP in pre-2.2.10 linux kernel, it
is not possible to determine the presence of sniffers performing
passive sniffing in the network.

You can detect the presence of a device where there is a lower layer
protocol that the device has to actively use to run.

wireless LAN with a sniffer that doesnt understand passive only
wireless mode for example - no idea if that still includes
wireshark.....

note - at this point all you can tell is there is a device present -
not what it is doing.

Karthik Balaguru
--
Regards

- replace xyz with ntl

In comp.os.linux.networking Karthik Balaguru wrote:

Okay . Yeah, I analyzed it and it appears just like as you conveyed
- Passive Sniffers in promiscuous modes(Remote) can be detected only
if they are on an interface with a configured IP address !

Or more generally be coerced into emitting some traffic. It does not
have to be IP traffic. If there were a flaw that caused the sniffing
system to respond to an 802.2 XID/Test frame that would be a
non-IP-configured situation.

:-( Interesting to know that wireshark or other sniffers can be used
on an interface that hasn't got any IP address configured.

There is more to networking than is dreamt-of in IP's universe

But, i wonder what is the advantage/use of running wireshark on an
interface that hasn't got any IP address. In what kind of scnearios
we might need to run wireshark on an interface without IP address ?
Any thoughts ?

From time to time, to figure-out the MAC address of some new-to-me
device I have connected it to an unused port on some other system,
fired-up a sniffer on that port, and the fired-up the new-to-me
device. Generally I'm looking for the DHCP request so I can get the
MAC to edit my own DHCP server configurations to give the new-to-me
device a specific IP address.

rick jones
--
No need to believe in either side, or any side. There is no cause.
There's only yourself. The belief is in your own precision. - Joubert
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

In comp.os.linux.networking Karthik Balaguru wrote:

Okay . Yeah, I analyzed it and it appears just like as you conveyed
- Passive Sniffers in promiscuous modes(Remote) can be detected only
if they are on an interface with a configured IP address !

Or more generally be coerced into emitting some traffic. It does not
have to be IP traffic. If there were a flaw that caused the sniffing
system to respond to an 802.2 XID/Test frame that would be a
non-IP-configured situation.

:-( Interesting to know that wireshark or other sniffers can be used
on an interface that hasn't got any IP address configured.

There is more to networking than is dreamt-of in IP's universe

But, i wonder what is the advantage/use of running wireshark on an
interface that hasn't got any IP address. In what kind of scnearios
we might need to run wireshark on an interface without IP address ?
Any thoughts ?

From time to time, to figure-out the MAC address of some new-to-me
device I have connected it to an unused port on some other system,
fired-up a sniffer on that port, and the fired-up the new-to-me
device. Generally I'm looking for the DHCP request so I can get the
MAC to edit my own DHCP server configurations to give the new-to-me
device a specific IP address.

rick jones
--
No need to believe in either side, or any side. There is no cause.
There's only yourself. The belief is in your own precision. - Joubert
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On Sat, 20 Mar 2010 23:59:41 -0700 (PDT), Karthik Balaguru
wrote:

Agreed, sniffer is totally passive ! On analyzing various
internet links and also discussions, i understand that
that unless the sniffer does not take care of things like
hiding IP address / there is a flaw in the operating system
similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
possible to determine the presence of sniffers performing
passive sniffing in the network.

That doesn't really make sense. For sniffing, there is no need for
the sniffer to obtain or fake an IP address. Sniffing is usually done
at Layer 2 or the MAC address layer (although I've sniffed at the
physical layer with an oscilloscope looking for waveform corruption).
Since the passive sniffer is not interested in collecting its own
traffic, there's no need to assign it an IP address. One can
literally cut the transmit ethernet pair on the transceiver and still
sniff. Assorted products (and methods):
http://www.netoptics.com
This works:
http://www.ethereal.com/lists/ethereal-dev/200012/msg00037.html

Just to make sure you understand, just creating an ethernet tap and
sniffing with Ethereal or Wireshark is not going to give you access to
all the network traffic. You're most likely going to have an ethernet
switch between the internet or a server and your sniff point. You'll
only see the traffic that either has YOUR destination MAC address, or
is a broadcast. Traffic to and from some other workstation is going
to be invisible.

That's not quite true with wireless networks, where you can
theoretically hear everyone. However, that's a bad assumption. If
you want to sniff both sides of wireless traffic, you have to locate
your wireless sniffer in a place where you can hear both radios at the
end points of a link. For point to point links, that's not so easy as
you would need to be along the line of sight. It will work for a hot
spot, where all the radios involved are in an enclosed area, and your
sniffer can hear all of them.

The option of using
IPSec for all intranet traffic appears to be the main solution
against passive sniffing.

Nope. There's also SSL, dedicated encryption devices, and MAC layer
encryption as found on some ethernet cards (i.e. 3COM 3CR990b).
http://www.3com.com/products/en_US/detail.jsp?pathtype=purchase&tab=features&sku=3CR9 90-TX-97
You can also do application layer encryption. If you really want to
drive a sniffer nuts, try transport layer obfuscation, where the
transceiver injects extra bits of garbage, and the receiving end
removes the extra bits, using some kind of synchronized algorithm such
as GPS clock sync, or a common lookup table. There are plenty of ways
to turn data into garbage, but only a few that will turn garbage back
into data.

Though some OS can restrict that only admins can install
certain type of sniffers, i think that is not enough as
sometimes it can be via admin too.

In a locked down IT department monitored environment, that might make
some sense. Anywhere else, most users are able to run as root or
administrator with a minimum of effort.

I wonder, why don't the various OS support the detection
of Sniffers so that if a user is running it in the network, the
OS might intimate it to the admins ?

Because approximately 0.00000001% of the computers on the planet need
a sniffing function and NBC (NoBody Cares). A better question would
be why Microsloth intentionally disabled access to the promiscuous and
monitor modes in NDIS 5, while Linux allows it in every network
driver. Hint: Think of a good conspiracy theory.

Just eager to know ,
is it not possible for the OS to detect a sniffer running on it
and intimate it ?

The OS can easily detect if it the ethernet card on the same machine
is running in promiscuous mode. That's easy because the OS had direct
access to the NIC registers and driver settings. That's not so easy
from outside the computah, where such testing would be considered a
hostile probe attempt.

I think, the various OS(TCP/IP) in network should be
configurable such that if there is a sniffer running on it, it
would be able to intimate to a set of users(admin) in the
network.

Sorry, I don't understand that statement. TCP/IP is not an operating
system. An application cannot imitate itself. I have no idea what
you mean by "set of users(admin)". There is no root/admin access
security on the network. Try again.

The OS here can be either Linux / Windows.
Are there any such tools already available ?

Make my life easy. What are you trying to accomplish? There are
plenty of tools, but you have not described what you are doing, and
therefore recommending specific applications will probably not fit
your unspecified goal.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com
# http://www.LearnByDestroying.com AE6KS

On Sat, 20 Mar 2010 23:59:41 -0700 (PDT), Karthik Balaguru
wrote:

Agreed, sniffer is totally passive ! On analyzing various
internet links and also discussions, i understand that
that unless the sniffer does not take care of things like
hiding IP address / there is a flaw in the operating system
similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
possible to determine the presence of sniffers performing
passive sniffing in the network.

That doesn't really make sense. For sniffing, there is no need for
the sniffer to obtain or fake an IP address. Sniffing is usually done
at Layer 2 or the MAC address layer (although I've sniffed at the
physical layer with an oscilloscope looking for waveform corruption).
Since the passive sniffer is not interested in collecting its own
traffic, there's no need to assign it an IP address. One can
literally cut the transmit ethernet pair on the transceiver and still
sniff. Assorted products (and methods):
http://www.netoptics.com
This works:
http://www.ethereal.com/lists/ethereal-dev/200012/msg00037.html

Just to make sure you understand, just creating an ethernet tap and
sniffing with Ethereal or Wireshark is not going to give you access to
all the network traffic. You're most likely going to have an ethernet
switch between the internet or a server and your sniff point. You'll
only see the traffic that either has YOUR destination MAC address, or
is a broadcast. Traffic to and from some other workstation is going
to be invisible.

That's not quite true with wireless networks, where you can
theoretically hear everyone. However, that's a bad assumption. If
you want to sniff both sides of wireless traffic, you have to locate
your wireless sniffer in a place where you can hear both radios at the
end points of a link. For point to point links, that's not so easy as
you would need to be along the line of sight. It will work for a hot
spot, where all the radios involved are in an enclosed area, and your
sniffer can hear all of them.

The option of using
IPSec for all intranet traffic appears to be the main solution
against passive sniffing.

Nope. There's also SSL, dedicated encryption devices, and MAC layer
encryption as found on some ethernet cards (i.e. 3COM 3CR990b).
http://www.3com.com/products/en_US/detail.jsp?pathtype=purchase&tab=features&sku=3CR9 90-TX-97
You can also do application layer encryption. If you really want to
drive a sniffer nuts, try transport layer obfuscation, where the
transceiver injects extra bits of garbage, and the receiving end
removes the extra bits, using some kind of synchronized algorithm such
as GPS clock sync, or a common lookup table. There are plenty of ways
to turn data into garbage, but only a few that will turn garbage back
into data.

Though some OS can restrict that only admins can install
certain type of sniffers, i think that is not enough as
sometimes it can be via admin too.

In a locked down IT department monitored environment, that might make
some sense. Anywhere else, most users are able to run as root or
administrator with a minimum of effort.

I wonder, why don't the various OS support the detection
of Sniffers so that if a user is running it in the network, the
OS might intimate it to the admins ?

Because approximately 0.00000001% of the computers on the planet need
a sniffing function and NBC (NoBody Cares). A better question would
be why Microsloth intentionally disabled access to the promiscuous and
monitor modes in NDIS 5, while Linux allows it in every network
driver. Hint: Think of a good conspiracy theory.

Just eager to know ,
is it not possible for the OS to detect a sniffer running on it
and intimate it ?

The OS can easily detect if it the ethernet card on the same machine
is running in promiscuous mode. That's easy because the OS had direct
access to the NIC registers and driver settings. That's not so easy
from outside the computah, where such testing would be considered a
hostile probe attempt.

I think, the various OS(TCP/IP) in network should be
configurable such that if there is a sniffer running on it, it
would be able to intimate to a set of users(admin) in the
network.

Sorry, I don't understand that statement. TCP/IP is not an operating
system. An application cannot imitate itself. I have no idea what
you mean by "set of users(admin)". There is no root/admin access
security on the network. Try again.

The OS here can be either Linux / Windows.
Are there any such tools already available ?

Make my life easy. What are you trying to accomplish? There are
plenty of tools, but you have not described what you are doing, and
therefore recommending specific applications will probably not fit
your unspecified goal.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com
# http://www.LearnByDestroying.com AE6KS