Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru

On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

How to determine the presence of wireshark in a network ?

Look for NIC cards and wireless devices running in promiscuous mode.

Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network .

No. A sniffer is totally passive.

Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

AntiSniff:
http://www.nmrc.org/pub/review/antisniff-b2.html
You may have trouble finding this one.

PromqryUI in DOS and Windowfied versions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en
Only works for detecting sniffers running on a Windoze system. I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

I've also noticed that most casual users of sniffers running on
laptops like to boot their operating system before firing up their
sniffers. The laptop will usually belch a few DHCP broadcasts and ARP
requests before disappearing into promiscuous mode. These initial
packets can be detected with ArpWatch:
http://24h.atspace.com/it/security/arpwatch.htm

The problem is not identifying the presence of the sniffer, it's
identifying which machine is actually doing the sniffing. The MAC
address is a clue, but given the ease of MAC address spoofing, that
information is often useless. Even if I delivered the MAC address on
a silver platter, identifying which one of the potentially hundreds of
similar computers in the room or building might be difficult.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

How to determine the presence of wireshark in a network ?

Look for NIC cards and wireless devices running in promiscuous mode.

Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network .

No. A sniffer is totally passive.

Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

AntiSniff:
http://www.nmrc.org/pub/review/antisniff-b2.html
You may have trouble finding this one.

PromqryUI in DOS and Windowfied versions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en
Only works for detecting sniffers running on a Windoze system. I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

I've also noticed that most casual users of sniffers running on
laptops like to boot their operating system before firing up their
sniffers. The laptop will usually belch a few DHCP broadcasts and ARP
requests before disappearing into promiscuous mode. These initial
packets can be detected with ArpWatch:
http://24h.atspace.com/it/security/arpwatch.htm

The problem is not identifying the presence of the sniffer, it's
identifying which machine is actually doing the sniffing. The MAC
address is a clue, but given the ease of MAC address spoofing, that
information is often useless. Even if I delivered the MAC address on
a silver platter, identifying which one of the potentially hundreds of
similar computers in the room or building might be difficult.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On 09/03/2010 17:40, Jeff Liebermann wrote:


PromqryUI in DOS and Windowfied versions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en
Only works for detecting sniffers running on a Windoze system. I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

Have you tried SNAT? I noticed it on YouTube last week.
http://www.snat-project.com/documentation.html

On 09/03/2010 17:40, Jeff Liebermann wrote:


PromqryUI in DOS and Windowfied versions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en
Only works for detecting sniffers running on a Windoze system. I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

Have you tried SNAT? I noticed it on YouTube last week.
http://www.snat-project.com/documentation.html

In comp.os.linux.networking Bob wrote:
Have you tried SNAT? I noticed it on YouTube last week.
http://www.snat-project.com/documentation.html

I'm not sure how robust this:

This action is the one I really like. With the help of it you can
check if a host on your network is running a sniffer (well,
technically your checking if the NIC of that host is running in
promiscuous mode). The idea behind this is to use an arp request
with a forged destination address. First all of let me explain
what is a promiscuous and a normal mode for the NIC. In the first
one the network card simply picks up all of the packets (even
those that are not directed to it), the second mode only picks up
the packets that are directed to it and drops any other
packets. But, all networks cards that work in normal mode will
pick up a packet with the destination address equal
FF:FF:FF:FF:FF:FF (broadcast). So where is the trick ? In a
network with all NICs working in a normal mode if you send an arp
request with the destination address = FF:FF:FF:FF:FF:FE none of
the cards will reply. All of them will simply drop it. But when a
card works in promiscuous mode it will pick up that packets
(remember that it picks up all the packets regardless) and reply
to the request. So when you get a reply from a host after sending
such forged packet it means that the NIC is working in the promisc
mode , so probably a network sniffer is running on that
machine. Let me demonstrate it for you. I'm 192.168.1.6 and the
host I want to check is 192.168.1.8 As usual go to the directory
where you have snat.jar and execute the command (if you have any
problems go here) :

will be. First, I suppose that 99 times out of 10 a host responding
to that MAC address will be in promiscuous mode, but since the group
bit is set... And I would think all it takes is a small change to the
ARP code to verify that the destination MAC was a full broadcast...

The upshot is it is probably best to ass-u-me that unless you have
complete physical control of your network - all the wires, all the
ports, no wireless - that someone is listening.

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

In comp.os.linux.networking Bob wrote:
Have you tried SNAT? I noticed it on YouTube last week.
http://www.snat-project.com/documentation.html

I'm not sure how robust this:

This action is the one I really like. With the help of it you can
check if a host on your network is running a sniffer (well,
technically your checking if the NIC of that host is running in
promiscuous mode). The idea behind this is to use an arp request
with a forged destination address. First all of let me explain
what is a promiscuous and a normal mode for the NIC. In the first
one the network card simply picks up all of the packets (even
those that are not directed to it), the second mode only picks up
the packets that are directed to it and drops any other
packets. But, all networks cards that work in normal mode will
pick up a packet with the destination address equal
FF:FF:FF:FF:FF:FF (broadcast). So where is the trick ? In a
network with all NICs working in a normal mode if you send an arp
request with the destination address = FF:FF:FF:FF:FF:FE none of
the cards will reply. All of them will simply drop it. But when a
card works in promiscuous mode it will pick up that packets
(remember that it picks up all the packets regardless) and reply
to the request. So when you get a reply from a host after sending
such forged packet it means that the NIC is working in the promisc
mode , so probably a network sniffer is running on that
machine. Let me demonstrate it for you. I'm 192.168.1.6 and the
host I want to check is 192.168.1.8 As usual go to the directory
where you have snat.jar and execute the command (if you have any
problems go here) :

will be. First, I suppose that 99 times out of 10 a host responding
to that MAC address will be in promiscuous mode, but since the group
bit is set... And I would think all it takes is a small change to the
ARP code to verify that the destination MAC was a full broadcast...

The upshot is it is probably best to ass-u-me that unless you have
complete physical control of your network - all the wires, all the
ports, no wireless - that someone is listening.

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On March 9, 2010 12:40, in comp.os.linux.networking, wrote:

On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

How to determine the presence of wireshark in a network ?

Look for NIC cards and wireless devices running in promiscuous mode.

Note that this will present false positives if the NICs in question are
running with "user set" MAC addresses.

With "user set" MAC addresses, the NIC cannot use it's builtin comparison
logic to find frames addressed to the NIC. The OS NIC driver logic has to
match the MAC address on /all/ "on the wire" packets to the "user set" MAC
address, and extract those that match. This requires that the NIC run in
promiscuous mode, to permit the driver access to all the network traffic.

--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------

On March 9, 2010 12:40, in comp.os.linux.networking, wrote:

On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

How to determine the presence of wireshark in a network ?

Look for NIC cards and wireless devices running in promiscuous mode.

Note that this will present false positives if the NICs in question are
running with "user set" MAC addresses.

With "user set" MAC addresses, the NIC cannot use it's builtin comparison
logic to find frames addressed to the NIC. The OS NIC driver logic has to
match the MAC address on /all/ "on the wire" packets to the "user set" MAC
address, and extract those that match. This requires that the NIC run in
promiscuous mode, to permit the driver access to all the network traffic.

--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------

Rick Jones wrote in news:hn66ht$h7r$2
@usenet01.boi.hp.com:

In comp.os.linux.networking Bob wrote:
Have you tried SNAT? I noticed it on YouTube last week.
http://www.snat-project.com/documentation.html

I'm not sure how robust this:

This action is the one I really like. With the help of it you can
check if a host on your network is running a sniffer (well,

SNIP

host I want to check is 192.168.1.8 As usual go to the directory
where you have snat.jar and execute the command (if you have any
problems go here) :

will be. First, I suppose that 99 times out of 10 a host responding
to that MAC address will be in promiscuous mode, but since the group
bit is set... And I would think all it takes is a small change to the
ARP code to verify that the destination MAC was a full broadcast...

Is this supposedly for Windows, Linux, OSX, BSD, etc ?

I'm sure it's OS specific. For instance, a Windows box will not reply to a
broadcast ping, but a Linux box will.