Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Networking with Windows Vista Networking issues and questions with Windows Vista. (microsoft.public.windows.vista.networking_sharing) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Determining the presence of wireshark
Hi,
How to determine the presence of wireshark in a network ? Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . Any tool to identify its presence in either Windows or Linux ? Any ideas ? Thx in advans, Karthik Balaguru |
|
|||
Determining the presence of wireshark
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote: How to determine the presence of wireshark in a network ? Look for NIC cards and wireless devices running in promiscuous mode. Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . No. A sniffer is totally passive. Any tool to identify its presence in either Windows or Linux ? Any ideas ? AntiSniff: http://www.nmrc.org/pub/review/antisniff-b2.html You may have trouble finding this one. PromqryUI in DOS and Windowfied versions: http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en Only works for detecting sniffers running on a Windoze system. I haven't been able to detect DOS, Linux, or Mac sniffers with these tools. I've also noticed that most casual users of sniffers running on laptops like to boot their operating system before firing up their sniffers. The laptop will usually belch a few DHCP broadcasts and ARP requests before disappearing into promiscuous mode. These initial packets can be detected with ArpWatch: http://24h.atspace.com/it/security/arpwatch.htm The problem is not identifying the presence of the sniffer, it's identifying which machine is actually doing the sniffing. The MAC address is a clue, but given the ease of MAC address spoofing, that information is often useless. Even if I delivered the MAC address on a silver platter, identifying which one of the potentially hundreds of similar computers in the room or building might be difficult. -- Jeff Liebermann 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 |
|
|||
Determining the presence of wireshark
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote: How to determine the presence of wireshark in a network ? Look for NIC cards and wireless devices running in promiscuous mode. Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . No. A sniffer is totally passive. Any tool to identify its presence in either Windows or Linux ? Any ideas ? AntiSniff: http://www.nmrc.org/pub/review/antisniff-b2.html You may have trouble finding this one. PromqryUI in DOS and Windowfied versions: http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en Only works for detecting sniffers running on a Windoze system. I haven't been able to detect DOS, Linux, or Mac sniffers with these tools. I've also noticed that most casual users of sniffers running on laptops like to boot their operating system before firing up their sniffers. The laptop will usually belch a few DHCP broadcasts and ARP requests before disappearing into promiscuous mode. These initial packets can be detected with ArpWatch: http://24h.atspace.com/it/security/arpwatch.htm The problem is not identifying the presence of the sniffer, it's identifying which machine is actually doing the sniffing. The MAC address is a clue, but given the ease of MAC address spoofing, that information is often useless. Even if I delivered the MAC address on a silver platter, identifying which one of the potentially hundreds of similar computers in the room or building might be difficult. -- Jeff Liebermann 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 |
|
|||
Determining the presence of wireshark
On 09/03/2010 17:40, Jeff Liebermann wrote:
PromqryUI in DOS and Windowfied versions: http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en Only works for detecting sniffers running on a Windoze system. I haven't been able to detect DOS, Linux, or Mac sniffers with these tools. Have you tried SNAT? I noticed it on YouTube last week. http://www.snat-project.com/documentation.html |
|
|||
Determining the presence of wireshark
On 09/03/2010 17:40, Jeff Liebermann wrote:
PromqryUI in DOS and Windowfied versions: http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en Only works for detecting sniffers running on a Windoze system. I haven't been able to detect DOS, Linux, or Mac sniffers with these tools. Have you tried SNAT? I noticed it on YouTube last week. http://www.snat-project.com/documentation.html |
|
|||
Determining the presence of wireshark
In comp.os.linux.networking Bob wrote:
Have you tried SNAT? I noticed it on YouTube last week. http://www.snat-project.com/documentation.html I'm not sure how robust this: This action is the one I really like. With the help of it you can check if a host on your network is running a sniffer (well, technically your checking if the NIC of that host is running in promiscuous mode). The idea behind this is to use an arp request with a forged destination address. First all of let me explain what is a promiscuous and a normal mode for the NIC. In the first one the network card simply picks up all of the packets (even those that are not directed to it), the second mode only picks up the packets that are directed to it and drops any other packets. But, all networks cards that work in normal mode will pick up a packet with the destination address equal FF:FF:FF:FF:FF:FF (broadcast). So where is the trick ? In a network with all NICs working in a normal mode if you send an arp request with the destination address = FF:FF:FF:FF:FF:FE none of the cards will reply. All of them will simply drop it. But when a card works in promiscuous mode it will pick up that packets (remember that it picks up all the packets regardless) and reply to the request. So when you get a reply from a host after sending such forged packet it means that the NIC is working in the promisc mode , so probably a network sniffer is running on that machine. Let me demonstrate it for you. I'm 192.168.1.6 and the host I want to check is 192.168.1.8 As usual go to the directory where you have snat.jar and execute the command (if you have any problems go here) : will be. First, I suppose that 99 times out of 10 a host responding to that MAC address will be in promiscuous mode, but since the group bit is set... And I would think all it takes is a small change to the ARP code to verify that the destination MAC was a full broadcast... The upshot is it is probably best to ass-u-me that unless you have complete physical control of your network - all the wires, all the ports, no wireless - that someone is listening. rick jones -- oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates these opinions are mine, all mine; HP might not want them anyway... feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH... |
|
|||
Determining the presence of wireshark
In comp.os.linux.networking Bob wrote:
Have you tried SNAT? I noticed it on YouTube last week. http://www.snat-project.com/documentation.html I'm not sure how robust this: This action is the one I really like. With the help of it you can check if a host on your network is running a sniffer (well, technically your checking if the NIC of that host is running in promiscuous mode). The idea behind this is to use an arp request with a forged destination address. First all of let me explain what is a promiscuous and a normal mode for the NIC. In the first one the network card simply picks up all of the packets (even those that are not directed to it), the second mode only picks up the packets that are directed to it and drops any other packets. But, all networks cards that work in normal mode will pick up a packet with the destination address equal FF:FF:FF:FF:FF:FF (broadcast). So where is the trick ? In a network with all NICs working in a normal mode if you send an arp request with the destination address = FF:FF:FF:FF:FF:FE none of the cards will reply. All of them will simply drop it. But when a card works in promiscuous mode it will pick up that packets (remember that it picks up all the packets regardless) and reply to the request. So when you get a reply from a host after sending such forged packet it means that the NIC is working in the promisc mode , so probably a network sniffer is running on that machine. Let me demonstrate it for you. I'm 192.168.1.6 and the host I want to check is 192.168.1.8 As usual go to the directory where you have snat.jar and execute the command (if you have any problems go here) : will be. First, I suppose that 99 times out of 10 a host responding to that MAC address will be in promiscuous mode, but since the group bit is set... And I would think all it takes is a small change to the ARP code to verify that the destination MAC was a full broadcast... The upshot is it is probably best to ass-u-me that unless you have complete physical control of your network - all the wires, all the ports, no wireless - that someone is listening. rick jones -- oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates these opinions are mine, all mine; HP might not want them anyway... feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH... |
|
|||
Determining the presence of wireshark
On March 9, 2010 12:40, in comp.os.linux.networking, wrote:
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru wrote: How to determine the presence of wireshark in a network ? Look for NIC cards and wireless devices running in promiscuous mode. Note that this will present false positives if the NICs in question are running with "user set" MAC addresses. With "user set" MAC addresses, the NIC cannot use it's builtin comparison logic to find frames addressed to the NIC. The OS NIC driver logic has to match the MAC address on /all/ "on the wire" packets to the "user set" MAC address, and extract those that match. This requires that the NIC run in promiscuous mode, to permit the driver access to all the network traffic. -- Lew Pitcher Master Codewright & JOAT-in-training | Registered Linux User #112576 Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/ ---------- Slackware - Because I know what I'm doing. ------ |
|
|||
Determining the presence of wireshark
Rick Jones wrote in news:hn66ht$h7r$2
@usenet01.boi.hp.com: In comp.os.linux.networking Bob wrote: Have you tried SNAT? I noticed it on YouTube last week. http://www.snat-project.com/documentation.html I'm not sure how robust this: This action is the one I really like. With the help of it you can check if a host on your network is running a sniffer (well, SNIP host I want to check is 192.168.1.8 As usual go to the directory where you have snat.jar and execute the command (if you have any problems go here) : will be. First, I suppose that 99 times out of 10 a host responding to that MAC address will be in promiscuous mode, but since the group bit is set... And I would think all it takes is a small change to the ARP code to verify that the destination MAC was a full broadcast... Is this supposedly for Windows, Linux, OSX, BSD, etc ? I'm sure it's OS specific. For instance, a Windows box will not reply to a broadcast ping, but a Linux box will. |
Thread Tools | |
Display Modes | |
|
|