On Tue, 12 Jan 1999, Carric Dooley wrote:
> I have seen a program for Linux that is supposed to go out and look for
> NIC's in promiscuous mode.
This is about as close as you can get. If we are talking a software
based sniffer that is running on a known OS, you have a chance of
detecting it. Your other possibilities are to find hub ports that you
know should be inactive, switch ports that have been setup as a monitor,
etc. There was also a good hint that was passed along on this list to
watch DNS queries in case the sniffer is trying to resolve host names.
Keep in mind that these are all indirect methods of figuring out if your
network is being monitored.
It is more than possible to run a sniffer on a network and have it be
100% undetectable. You are talking about a passive device, something
that listens to all network traffic without actually generating any
traffic itself. Heck, the device does not even need a network address or
a MAC address meaning that it can be completely invisible from OSI
layers 2 and up. This means that if a savvy attacker is able to gain
access to your physical network, they are more than capable of grabbing
traffic and going undetected.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
