Re: How can I detect if there is a sniffer running on my local so bnet?

[Marc]

Hi,

> Quoth Bennett Todd, on Thursday, January 14, 1998
> > I seem to recall the trick was something like "send a ping or 
> > some such to the broadcast IP address with a specific, non-broadcast
> ethernet address".
> 
> More information about this, and/or pointers to code/commercial software
> (for _any_ platforms) that will do this would be _greatly_ appreciated.

I found this solution one year ago and posted it on the mailing list, so it
should be in the archives. However, it does not work with Solaris, AIX or a
BSD I tested. Linux was the only one that nice. I hear that this was fixed in
the kernel 2.0.36 but I don't think so. Either way, there are other
possibilities ;-)

don't waste your money on a "commercial" program for this (I've never seen
one though) if you want to use this fake-arp solution. It's really easy:

Example: (1.1.1.1 is the linux host you want to check for a sniffer)

# arp -s 1.1.1.1 01:01:01:01:01:01
# ping 1.1.1.1

if you get a ping reply, it's ethernet card is in promisc mode.
you can also do similar things with ipsend (in the ip_filter package)
or casl.

Greets,
        Marc

--

[EMAIL PROTECTED]   Transparente Sicherheit   http://www.invisible.org


Type Bits/KeyID    Date       User ID
pub  2048/ABF9BB49 1998/11/11 Marc <[EMAIL PROTECTED]>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzZJoF8AAAEIALrfJZ+A5h5iJPU+brRkR3xOYWgG9KFM4BP61ZZ9BblBia25
7MNSBZ+O9RTvyfsRc3huGaUKkrr7yPd3u6wOZaTbbboeC5XjdlSViv5kR95dUbNL
cWWIMyLkxwZ1L1+q0B++Kbu0ZRX80mn/4LPGyWoRHOS05wbgccQ+eCJNQQ1/DlBH
Tr1l9MaOT+26TuVhQpdAe/Z295948OvVAiy8p7OgH5XFmiKobW8MNN/pw+XLkQk/
SrukrWG1iyVeAuyiIlhgLSYfVQ+19vLTpECm244ISnY6NPcuEDmfWK+zJ3p18pe4
yatpCSiLAFi3Ue0rFTTBOepWCpZFo18CEKv5u0kABRG0GU1hcmMgPG1hcmNAaW52
aXNpYmxlLm9yZz6JARUDBRA2SaBfo18CEKv5u0kBAdD1B/9q2NoL9IwYLUUMfDVc
Am9DdfjqrM0q3ZY4H7dfMy0sYGtN3NuUpHBzIKvD5n/WxSpf9Gyey8Uq5zHNmumA
fih/R9PTRr+g+kndAoS9MWPIu9nOMSgBsYUUaSF07sVxg8GiXbUUdoX12bi7gtzu
IUTiABS8njbwV3eUilavs6KVjEDlldXfs9NH2dVjvmgi2ozNAo+aUoQtQYbkkVOI
8k+OsBhAqusXVFjXVX3D6szqwTwqm/Ox0p3ya2ohsn2Ys8YTCVpEBrxjILalbDLZ
pJLYMzf57w2oe29oMEPAb/RdhotzKPfezPv8/ESXwDiuRZLPylTuli8pt1BvIeh8
dvhU
=JCVw
-----END PGP PUBLIC KEY BLOCK-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]