Thread: Determining the presence of wireshark
View Single Post
  #48 (permalink)  
Old March 29th 10, 09:25 PM posted to alt.internet.wireless,comp.os.linux.networking,comp.os.linux.security,microsoft.public.access.security,microsoft.public.windows.vista.networking_sharing
Shadow[_3_]
external usenet poster
  
Posts: 2
Default Determining the presence of wireshark
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
wrote:

Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru
Wireshark has DNS resolving on by default (or it used to, as
far as I can remember). If the sniffer is an amateur, and leaves it
on, you can try to ping an imaginary address. The sniffer's wireshark
will pick up the address and try to resolve it. So just filter with
"dns and "pinged IP"") and you can see which computer wireshark is on.
Duh.
[]'s
Kismet and aircrack of course are MUCH less detectable than
wireshark.......they are totally non intrusive.