Hi,
this question is a very interesting one. But I fear, that there might be some
misunderstandings. Give me a conclusion on this answers yet available here:
- option to ifconfig -> shows promisc NIC on local host
- shell script using ifconfig -> as above (surely :)
- dumping WINS data -> looks as showing promisc NIC on local host again
- using some linux flaw -> shows only promisc NICs on hosts running this flaw
Detecting a promiscious mode on some local NIC should not be the problem to me.
Detecting some sniffer on any host in the network that sits there hidden, that
might be the real problem to me. Am I right?
The question now is, which feature may be used to force any NIC on the network
to send back a flag staying it's set to promiscuous mode or not. This feature
really has to be hardcoded to any NIC or it is almost useless to ask for this.
If I would set up some sniffer, I would want to be some transparent listener.
In some M$-NT-network I surely am allowed to use some different OS as example.
Being in possession of this sniffer host I would be allowed to turn off any
software flags and to protect this host from any questioning of others.
So again the question: Is there any hardcoded feature agreed on every NIC
around the world to state the promiscuous mode to any non-local questioner?
If there is one, I want to know this from you for sure.
Looks as <[EMAIL PROTECTED]> goes some similar direction.
B.T.W. Netherless it is interesting enough, whether M$ features something alike
within their proprietary protocols. Or any others.
If there might be some company, producing NICs with the above feature truly in
hardware, the paranoid ones should allow only this kind of NIC in their network.
They then will be able to detect any foreign MAC even without asking for the
promisc mode settings there. But would that be a real solution again?
Becoming paranoid even more: I am able to sit on your network signals as they
have to use electromagentic waves anyway. Producing my copy of your stream you
will never be able to even get some signals back from me. There are methods
of measurement to wires or fibre - but they only give you power scales.
The last one might go too far for the original question.
But I am very interested in true answers to the question of detecting non-local
promiscuous NICs on some network.
HvS
:-)
------------------------------
Date:
From: Ben Nagy <[EMAIL PROTECTED]>
Subject: RE: Free Tools for detecting sniffers
Wow. What characteristic of the NIC allows you to detect this? I would have
thought that it would be purely internal to the system running the NIC...Is
there some weird Ethernet broadcast that the NIC sends when it's entering
promiscuous mode?
- --
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Mailing Lists [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 26, 1999 10:05 PM
To: [EMAIL PROTECTED]
Subject: Free Tools for detecting sniffers
Hi!
I'm looking for a free (or nearly free) tool in either Linux or NT that
could tell me when a nic as been placed in promiscuous mode (aka, when a
sniffer is started) on a machine. I want to run it in a cron job (or at
job in NT) so that it could email or page me when it happens.
Thanks!
...
------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
