Firewalls: Re: How can I detect packet sniffer

Firewalls
(April 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: How can I detect packet sniffer
From:	Roger Books <books @ mail . state . fl . us>
Date:	Mon, 13 Apr 1998 09:03:43 -0400 (EDT)
To:	firewalls @ GreatCircle . COM
In-reply-to:	<Pine . SOL . 3 . 96 . 980411200338 . 12281B-100000 @ brooks>
Reply-to:	Roger Books <books @ mail . state . fl . us>

Well, there was a claim on comp.security.unix that a sniffer could be
detected via the following procedure (note timings are VERY important).

This assumes you are running your sniffer on a machine that will reply
back, ie, a unix, nt, etc etc box.

Get a good average ping time to a machine when the net was lightly loaded.
You are trying to get the latency.

Generate a large amount of traffic to a non-existant address on the local
net and, while doing this, again measure the latency.  If the latency
is close to the original than the machine is not sniffing.  If the latency
goes up significantly then the machine is having to process packets the
ethernet card should not be sending on, meaning the ethernet card is in
promiscuous mode.

Now, I'm not really sure I buy this, but the author claimed it would
work.  I'd have to see it myself.

Roger

References:

Re: How can I detect packet sniffer
From: Antonio Paulo Salgado Forster <forster @ na-cp . rnp . br>

Indexed By Date	Previous:	Registered mail From: admin8 @ mauimail . com
Indexed By Date	Next:	Re: Livingston's IRX211 firewall router From: Bill Coutinho <bill @ dextra . com . br>
Indexed By Thread	Previous:	Re: How can I detect packet sniffer From: Antonio Paulo Salgado Forster <forster @ na-cp . rnp . br>
Indexed By Thread	Next:	RE: socks versus fw-1 [Part IIa/II] From: Frank Willoughby <frankw @ in . net>