Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: How can I detect packet sniffer
From: Roger Books <books @ mail . state . fl . us>
Date: Mon, 13 Apr 1998 09:03:43 -0400 (EDT)
To: firewalls @ GreatCircle . COM
In-reply-to: <Pine . SOL . 3 . 96 . 980411200338 . 12281B-100000 @ brooks>
Reply-to: Roger Books <books @ mail . state . fl . us>

Well, there was a claim on comp.security.unix that a sniffer could be
detected via the following procedure (note timings are VERY important).

This assumes you are running your sniffer on a machine that will reply
back, ie, a unix, nt, etc etc box.

Get a good average ping time to a machine when the net was lightly loaded.
You are trying to get the latency.

Generate a large amount of traffic to a non-existant address on the local
net and, while doing this, again measure the latency.  If the latency
is close to the original than the machine is not sniffing.  If the latency
goes up significantly then the machine is having to process packets the
ethernet card should not be sending on, meaning the ethernet card is in
promiscuous mode.

Now, I'm not really sure I buy this, but the author claimed it would
work.  I'd have to see it myself.

Roger


References:
Indexed By Date Previous: Registered mail
From: admin8 @ mauimail . com
Next: Re: Livingston's IRX211 firewall router
From: Bill Coutinho <bill @ dextra . com . br>
Indexed By Thread Previous: Re: How can I detect packet sniffer
From: Antonio Paulo Salgado Forster <forster @ na-cp . rnp . br>
Next: RE: socks versus fw-1 [Part IIa/II]
From: Frank Willoughby <frankw @ in . net>

Google
 
Search Internet Search www.greatcircle.com