On Thu, 2002-02-28 at 12:39, Tony Fondo wrote: > lsof is great also. except (usually) if someone's running a sniffer they've compromised the box already. in which case they've probably already trojaned all the binaries that could be used to identify their sniffer (including netstat, lsof, ps, etc).
also, machines that use DHCP or BOOTP have to go into promiscuous mode in order to receive these broadcasts. This program may be picking this up instead. it'd be interesting to see how they're detecting sniffers. I couldn't find source code available, but i wonder if it's the same way the l0pht did it originally with antisniff (send out fake packets with invalid ip addresses / hostnames / mac addresses; watch for lookups on those addresses from machines you didn't send the packets to) or if there are newer techniques for this.... -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
signature.asc
Description: This is a digitally signed message part
