On 26 May 99, at 8:35, Mailing Lists wrote:
> I'm looking for a free (or nearly free) tool in either Linux or NT that
> could tell me when a nic as been placed in promiscuous mode (aka, when a
> sniffer is started) on a machine. I want to run it in a cron job (or at
> job in NT) so that it could email or page me when it happens.
There's a registry key in NT to put the NIC in promiscuous mode -- I don't
know if that takes effect at boot, or only when Network Monitor is run. [I
believe it's specific to the default NDIS driver, and that it's probably
ignored by thiord-party NT-based sniffers that use a packet driver instead.]
I've seen mention of a trick that is supposed to get sniffers to respond to
some particular network traffic, announcing their presence. I'm not sure how
well this works; received wisdom has it that this can be defeated by
disconnecting the TX leads on the sniffer's NIC so that all outbound
transmissions are physically blocked. [This would also defeat any of the
other mechanisms suggested, unless the sniffing box also had a second NIC for
"normal" use.]
Bottom line, then, is that sniffer-hiding technology is probably several
steps ahead of any sniffer-finding technology -- especially any that youll
find for free or cheap!
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
