Ok, here are the results. I scanned a box running Linux 2.6.X with different NIC and Wireshark settings using Cain & Abel from a box running Windows XP SP2. _________________________________________________________________________B31________B16______B8_______Gr_______M0_______M1_______M3 Wireshark_Off_-_NIC_Normal_mode___________________________________________0_________0________0________0________0________X________X Wireshark_Off_-_NIC_Promiscuous_mode______________________________________X_________X________X________X________X________X________X Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options______0_________0________0________0________0________X________X Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__________X_________X________X________X________X________X________X Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_________X________X________X________X________X________X Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_____X_________X________X________X________X________X________X
If the formatting's screwed up, here's an image: http://i9.tinypic.com/2dhwbpc.png X = Got ARP Reply 0 = Did not get ARP Reply B31 = ARP destination FF:FF:FF:FF:FF:FE B16 = ARP destination FF:FF:00:00:00:00 B8 = ARP destination FF:00:00:00:00:00 Gr = ARP destination 01:00:00:00:00:00 M0 = ARP destination 01:00:5e:00:00:00 M1 = ARP destination 01:00:5e:00:00:01 M3 = ARP destination 01:00:5e:00:00:03 Read the PDF from my previous post for more clarification: http://www.securityfriday.com/promiscuous_detection_01.pdf So apparently you can quite easily detect if someone's running Wireshark on your network. (Assuming they haven't set up special rules to not reply to these revealing ARP-packets or something like that.) On Fri, 13 Oct 2006 07:19:17 -1100, "Hans Nilsson" <[EMAIL PROTECTED]> said: > Hello, I recently read the document "Promiscuous node detection using > ARP packets" [1] about detecting network cards in promiscuous mode and > sniffers with custom-built ARP-packets. For example tools like Cain and > Abel [2] has that capability. But I was wondering if this actually works > against Wireshark? > > When I do ifconfig my network card is not listed as being in promiscuous > mode but under options in Wireshark the card is in promiscuous mode and > I can receive all the traffic on my LAN. So is this not a problem > anymore since the NIC doesn't have to be manually set to promiscuous > mode, Wireshark can do that on it's own and therefore won't be detected > by the ARP-technique? > > [1] > http://www.securityfriday.com/promiscuous_detection_01.pdf > [2] > http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm > -- > Hans Nilsson > [EMAIL PROTECTED] > > -- > http://www.fastmail.fm - A fast, anti-spam email service. > > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Same, same, but differentÂ… _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
