A Windows Vista forum. Vista Banter

Welcome to Vista Banter.

You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact contact support.

Go Back   Home » Vista Banter forum » Microsoft Windows Vista » Networking with Windows Vista
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Networking with Windows Vista Networking issues and questions with Windows Vista. (microsoft.public.windows.vista.networking_sharing)

Determining the presence of wireshark



 
 
LinkBack Thread Tools Display Modes
  #41 (permalink)  
Old March 24th 10, 04:35 PM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
bod43
external usenet poster
 
Posts: 2
Default Determining the presence of wireshark

On 22 Mar, 23:34, Jeff Liebermann wrote:
On Sat, 20 Mar 2010 23:59:41 -0700 (PDT), Karthik Balaguru

wrote:
Agreed, sniffer is totally passive ! On analyzing various
internet links and also discussions, i understand that
that unless the sniffer does not take care of things like
hiding IP address / there is a flaw in the operating system
similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
possible to determine the presence of sniffers performing
passive sniffing in the network.


Lots of good Jeff Stuff (TM) snipped

# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060


Maybe the OP would like Token Ring where if I
recall correctly the protocol required that MACs in
promiscuous mode set the "Monitor Present"
bit in the token (or somewhere - can't be bothered to
check and it's been a while -- and no one cares).

As many people have said there is no way to
guarantee detecting a monitor on the network.

Of course at one time with fiber it was indeed believed
that intrusion was detectable.

The idea was this.

You constantly monitored all connections for service
interruptions. If there was an interruption you sent round
the boys in black to check for network taps just in case
the interruption was caused by someone inserting a tap.

Otherwise the only way of seeing the light was to bend the
fiber sharply which caused leakage. Some one I seem
to recall came up with something that detected that too.
A company I worked at was involved in bidding
such a proposal decades ago. We didn't get the job
(or maybe just no one told me and maybe the whole
thing fell through anyway.

Of course all this is only affordable for government level
or similar security.

Then there is quantum cryptography which guarantees
that message interception is detectable by principle.

  #42 (permalink)  
Old March 24th 10, 04:35 PM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
bod43
external usenet poster
 
Posts: 2
Default Determining the presence of wireshark

On 22 Mar, 23:34, Jeff Liebermann wrote:
On Sat, 20 Mar 2010 23:59:41 -0700 (PDT), Karthik Balaguru

wrote:
Agreed, sniffer is totally passive ! On analyzing various
internet links and also discussions, i understand that
that unless the sniffer does not take care of things like
hiding IP address / there is a flaw in the operating system
similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
possible to determine the presence of sniffers performing
passive sniffing in the network.


Lots of good Jeff Stuff (TM) snipped

# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060


Maybe the OP would like Token Ring where if I
recall correctly the protocol required that MACs in
promiscuous mode set the "Monitor Present"
bit in the token (or somewhere - can't be bothered to
check and it's been a while -- and no one cares).

As many people have said there is no way to
guarantee detecting a monitor on the network.

Of course at one time with fiber it was indeed believed
that intrusion was detectable.

The idea was this.

You constantly monitored all connections for service
interruptions. If there was an interruption you sent round
the boys in black to check for network taps just in case
the interruption was caused by someone inserting a tap.

Otherwise the only way of seeing the light was to bend the
fiber sharply which caused leakage. Some one I seem
to recall came up with something that detected that too.
A company I worked at was involved in bidding
such a proposal decades ago. We didn't get the job
(or maybe just no one told me and maybe the whole
thing fell through anyway.

Of course all this is only affordable for government level
or similar security.

Then there is quantum cryptography which guarantees
that message interception is detectable by principle.

  #43 (permalink)  
Old March 25th 10, 11:49 PM posted to alt.internet.wireless,comp.os.linux.networking,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Aaron Leonard
external usenet poster
 
Posts: 2
Default Determining the presence of wireshark


~ But, i wonder what is the advantage/use of running
~ wireshark on an interface that hasn't got any IP address.
~ In what kind of scnearios we might need to run wireshark
~ on an interface without IP address ? Any thoughts ?
~
~ How about running whireshark while hiding from people
~ who are trying to find people running Wireshark?
~
~
~ :-) :-)
~ I had that in mind !
~ But, Is it only for that reason ? Are there no other scenarios ?

When I'm getting a promiscuous capture, I want to obtain as accurate
a capture from the channel as is possible (/convenient). Having
my sniffer's IP stack enabled is not helpful in this regard. In
fact, since some operating systems will babble incessantly on any
interface with an IP address, it is downright harmful to accurate
capture.

For example, if I'm trying to measure the 802.11n performance
between one our our APs an a client device, it doesn't do me
any good for my sniffer to be spamming the channel with some
NBNS nonsense at the same time.

I.e. this is just basic test engineering 101: if you're going to
perform an observation, you want the process of observation to be
non intrusive as it can be.

Aaron
  #44 (permalink)  
Old March 25th 10, 11:49 PM posted to alt.internet.wireless,comp.os.linux.networking,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Aaron Leonard
external usenet poster
 
Posts: 2
Default Determining the presence of wireshark


~ But, i wonder what is the advantage/use of running
~ wireshark on an interface that hasn't got any IP address.
~ In what kind of scnearios we might need to run wireshark
~ on an interface without IP address ? Any thoughts ?
~
~ How about running whireshark while hiding from people
~ who are trying to find people running Wireshark?
~
~
~ :-) :-)
~ I had that in mind !
~ But, Is it only for that reason ? Are there no other scenarios ?

When I'm getting a promiscuous capture, I want to obtain as accurate
a capture from the channel as is possible (/convenient). Having
my sniffer's IP stack enabled is not helpful in this regard. In
fact, since some operating systems will babble incessantly on any
interface with an IP address, it is downright harmful to accurate
capture.

For example, if I'm trying to measure the 802.11n performance
between one our our APs an a client device, it doesn't do me
any good for my sniffer to be spamming the channel with some
NBNS nonsense at the same time.

I.e. this is just basic test engineering 101: if you're going to
perform an observation, you want the process of observation to be
non intrusive as it can be.

Aaron
  #45 (permalink)  
Old March 26th 10, 07:24 AM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Jeff Liebermann
external usenet poster
 
Posts: 6
Default Determining the presence of wireshark

On Wed, 24 Mar 2010 09:35:39 -0700 (PDT), bod43
wrote:

You constantly monitored all connections for service
interruptions. If there was an interruption you sent round
the boys in black to check for network taps just in case
the interruption was caused by someone inserting a tap.


Yeah, sure. If there were only one interruption caused by a tap
insertion, that would probably be cause for an investigation. When
you have a few dozen minor interruptions daily, it's difficult to get
inspired to investigate one more. More likely, the fault will
magically heal itself, and the operator or log skimmer will assume
it's a transient error. If 10G, GFEC (Generic forward error
correction) might mask any errors.

Many of the fibers worth taping are miles and miles long. One big
long dark fiber. How about this run from Santa Cruz to Sunnyvale in
one piece? About 99% of the light never makes it to the other end,
but that's good enough for DWDM (dense wave division mux). A little
additional loss, and probably nobody would notice.

On the other foot, picking up leakage from a bent single mode fiber is
not my idea of fun. I could probably build a suitable pickup, but
trying to get all the different colors separated would be a mess.
Besides, the DWDM sniffer box would probably cost $10,000 and up. Even
so, sniffing fiber is like drinking from a fire hose. The horsepower
required to decode and capture everything is well beyond that of a
common PC.

Of course all this is only affordable for government level
or similar security.


If you throw an infinite amount of (public) money at a problem,
anything is solvable (except maybe federal health care).

Then there is quantum cryptography which guarantees
that message interception is detectable by principle.


Yep. That's the major benefit.
--
Jeff Liebermann
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
  #46 (permalink)  
Old March 26th 10, 07:24 AM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Jeff Liebermann
external usenet poster
 
Posts: 6
Default Determining the presence of wireshark

On Wed, 24 Mar 2010 09:35:39 -0700 (PDT), bod43
wrote:

You constantly monitored all connections for service
interruptions. If there was an interruption you sent round
the boys in black to check for network taps just in case
the interruption was caused by someone inserting a tap.


Yeah, sure. If there were only one interruption caused by a tap
insertion, that would probably be cause for an investigation. When
you have a few dozen minor interruptions daily, it's difficult to get
inspired to investigate one more. More likely, the fault will
magically heal itself, and the operator or log skimmer will assume
it's a transient error. If 10G, GFEC (Generic forward error
correction) might mask any errors.

Many of the fibers worth taping are miles and miles long. One big
long dark fiber. How about this run from Santa Cruz to Sunnyvale in
one piece? About 99% of the light never makes it to the other end,
but that's good enough for DWDM (dense wave division mux). A little
additional loss, and probably nobody would notice.

On the other foot, picking up leakage from a bent single mode fiber is
not my idea of fun. I could probably build a suitable pickup, but
trying to get all the different colors separated would be a mess.
Besides, the DWDM sniffer box would probably cost $10,000 and up. Even
so, sniffing fiber is like drinking from a fire hose. The horsepower
required to decode and capture everything is well beyond that of a
common PC.

Of course all this is only affordable for government level
or similar security.


If you throw an infinite amount of (public) money at a problem,
anything is solvable (except maybe federal health care).

Then there is quantum cryptography which guarantees
that message interception is detectable by principle.


Yep. That's the major benefit.
--
Jeff Liebermann
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
  #47 (permalink)  
Old March 29th 10, 09:25 PM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Shadow[_3_]
external usenet poster
 
Posts: 2
Default Determining the presence of wireshark

On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru

Wireshark has DNS resolving on by default (or it used to, as
far as I can remember). If the sniffer is an amateur, and leaves it
on, you can try to ping an imaginary address. The sniffer's wireshark
will pick up the address and try to resolve it. So just filter with
"dns and "pinged IP"") and you can see which computer wireshark is on.
Duh.
[]'s
Kismet and aircrack of course are MUCH less detectable than
wireshark.......they are totally non intrusive.

  #48 (permalink)  
Old March 29th 10, 09:25 PM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Shadow[_3_]
external usenet poster
 
Posts: 2
Default Determining the presence of wireshark

On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru

Wireshark has DNS resolving on by default (or it used to, as
far as I can remember). If the sniffer is an amateur, and leaves it
on, you can try to ping an imaginary address. The sniffer's wireshark
will pick up the address and try to resolve it. So just filter with
"dns and "pinged IP"") and you can see which computer wireshark is on.
Duh.
[]'s
Kismet and aircrack of course are MUCH less detectable than
wireshark.......they are totally non intrusive.

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 09:49 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.Search Engine Optimization by vBSEO 3.0.0 RC6
Copyright ©2004-2024 Vista Banter.
The comments are property of their posters.