I would suggest using Ettercap (http://ettercap.sourceforge.net) to sniff in the switched network.
Sniff Host A from Host B. Have Ethereal (www.ethereal.com) capture on Host C. You might find something interesting with the ARP requests/changes. Another thing you can do (this is what I do) is install Arpwatch (www.securityfocus.com/tools/142). Since Ettercap poisons the ARP tables, this will set Arpwatch off and you'll know something funny is going on by the mass amounts of e-mails about stations being flipped and whatnot. Hope this helps! -Matt On Thursday 21 February 2002 01:29, Sumit Dhar wrote: > Hello All, > > I was wondering the other day as to how one could go about detecting a > sniffer on the network. If it is a Shared Ethernet, I wouldn't even > try... but on a Switched Ethernet, I feel there still is a chance. > > Specifically, > > 1. What would be the best method to see if someone is carrying > out ARP-Spoofing? > > 2. Would it be possible to locate a machine that is flooding > the network with fake MAC replies? > > Also, what would be the other methods that a person *MIGHT* be used to > sniff in a switched environment? > > Most of the anti-sniffing tools (from L0pht etc.) are not very > reliable.. any other tools that you people are aware of? And lastly, > though I think it is practically impossible, would it be possible to > detect a sniffer on a Shared Ethernet (where it is usually passive). > > Also let me clarify, each user on this network controls his machine > completely as the root user, no user has access to every machine.. > > Regards > Dhar
