In-Reply-To: <[EMAIL PROTECTED]>
If you're a domain admin on a purely NT/2K network, detecting sniffers isn't all that hard. Fo to http://patriot.net/~carvdawg/perl.html and check out 'sniffer.pl'. What this script does is enumerate device drivers from the Service Control Manager. It does this b/c the winpcap drivers are very popular...used by snort, Ethereal, even the sniffing component of L0phtcrack3. They're freely available, easy to install...and yes, if someone changes the name of the driver, the script won't detect it. However, if they change the name of the driver they then have to recompile the tools, don't they?
