Thread: Determining the presence of wireshark
View Single Post
  #23 (permalink)  
Old March 20th 10, 09:28 AM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Stephane CHAZELAS
external usenet poster
  
Posts: 2
Default Determining the presence of wireshark
2010-03-20, 01:59(-07), Karthik Balaguru:
[...]
1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP. There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.

Probably same with

sudo ip addr flush dev eth0

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.

--
Stéphane