Thread: Determining the presence of wireshark
View Single Post
  #36 (permalink)  
Old March 21st 10, 10:21 PM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Stephen[_5_]
external usenet poster
  
Posts: 3
Default Determining the presence of wireshark
On Sat, 20 Mar 2010 18:42:18 -0700 (PDT), Karthik Balaguru
wrote:

On Mar 20, 3:28*pm, Stephane CHAZELAS
wrote:
2010-03-20, 01:59(-07), Karthik Balaguru:
[...]

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

All those methods assume the interface is configured with an IP
address, or that the system supports IP.

Okay . Yeah, I analyzed it and it appears just like
as you conveyed - Passive Sniffers in promiscuous
modes(Remote) can be detected only if they are on
an interface with a configured IP address !

There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.


:-(
Interesting to know that wireshark or other sniffers
can be used on an interface that hasn't got any IP
address configured.

But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address.
In what kind of scnearios we might need to run wireshark
on an interface without IP address ? Any thoughts ?

at least 4.

1 - you do not pollute a general capture file with crud from the
capture PC (this is generally true - eg on a "real" Sniffer).

It makes figuring out what is going on from scratch easier.

2 - if you are connecting to say a customer network then you do not
get issues with the capture PC trying to join the local M$oft AD
domain, or catching a local propagating net virus.

3. If you run IP on the interface some firewall configs will try to
block IP of various types to "improve" the PC security.......

4. you may not use IP on this network (much more rare recently, but
used to be common)

Probably same with

sudo ip addr flush dev eth0


:-(
It appears that there is NO method to detect passive sniffing
unless the sniffer does not take care of things like hiding
IP address / using a proper flawless OS.

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.


True that there might not be much systems that use pre-2.2.10
unless upgraded. So, it is difficult to determine the presence
of sniffer in networks in such a case.

So, in brief - NO METHOD to detect Passive Sniffing :-(
That is, It seems that unless there is a flaw in the operating
system similar to that of TCP/IP in pre-2.2.10 linux kernel, it
is not possible to determine the presence of sniffers performing
passive sniffing in the network.

You can detect the presence of a device where there is a lower layer
protocol that the device has to actively use to run.

wireless LAN with a sniffer that doesnt understand passive only
wireless mode for example - no idea if that still includes
wireshark.....

note - at this point all you can tell is there is a device present -
not what it is doing.

Karthik Balaguru
--
Regards

- replace xyz with ntl