Of all the built-in tests that L0pht's AntiSniff uses, the easiest one to
simulate and the one that produces the lowest false positive, is the DNS
inverse resolution. You need to install your own sniffer (I think there are
a couple for Windows 95), and then make a call to a bogus hostname, eg.
"telnet are.you.watching". If the sniffer is set to resolve hostnames (like
tcpdump is, by default), then watch for DNS packets that try to resolve
"are.you.watching", and you'll have caught your sniffer red-handed. The
caveats here are that your own sniffer not do host resolution itself (or you
will sniff yourself trying to resolve "are.you.watching") and you do not
have some sort of proxy firewall trying to resolve your request. Also, if
the real sniffer is not doing real time resolution, but instead capturing IP
dumps and resolving at a later time, then you might be out of luck.
At that point you'd probably have to turn to the other tests that AntiSniff
uses. The only thing that concerns me is that the other two tests
(OS-Specific and Network/Machine latency) either work on a very specific
operating platform (ie. old Linux kernels and Windows Network drivers based
on Microsoft's own default driver) or raise ambiguous results (false
positives) that they become less useful.
But better than nothing, I'd say...
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Peter M <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Friday, January 07, 2000 6:56 PM
Subject: General Question... Is it possible?
>Is there anyway to detect in windows 95 is you are beeing Sniffed (of
everything..
>every packet) ... .. I know l0pht has a anti sniff to see if you are beeing
sniffed..
>but other then that.. i hate that program and i don't trust it ;).. So is
there any
>other way of detecting if you are beeing sniffed.. let me know
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
