December 2nd, 2003, 05:12 PM
How do i Detect whether a sniffer program is running on my network
December 2nd, 2003, 05:25 PM
U havent mentioned what kind of network u have. these are some techniques that can be employed
Send a ping packet to the IP address of the computer but not to its network adapter. E.g . if the ip add. of the suspect is 126.96.36.199 and MAC add. Is 00-40-05-A4-79-32 and u are on the same Ethernet segment as the suspect comp. Send the packet after changing the MAC add. To 00-40-05-A4-39 in the routing table. Now each comp in the comp.in the network will check the packet destination MAC add. With its own and ignore because it does not matches its own. However I u get a response then some one if ignoring the MAC address filter and accepting all the packets. This method can be employed on switched and bridged networks
In ARP method an ARP packet is used instead of ping packets. U can send a ARP packet to a non-broadcast address. If any comp on the network responds to the ARP packet then it must be in promiscuous mode.
Reverse DNS Lookup Method
The DNS lookup can be employed remotely as well locally. If u need to perform DNS lookups remotely u ned to monitor incoming inverse DNS lookups on the DNS server of uír org. to monitor an incoming inverse DNS lookup, u can send a ping command to all the compís in uír org. for which IP address do not exists. Any comp on the network that is performing reverse DNS lookups on these IP addresses is probably running a sniffer program..
Source Route Method
(I am taking that know what source routing is). This method is effective on small/nearby networks. Say there are 3 comps A,B,C on the same network segment and routing has been disabled on comp B. now configure a message to comp c such that it reaches C through B . if C still responds it means it has sniffed the packet through Ethernet wire .
But to detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually if its running in apromicious mode with the help of commands such as iconfig -a, ps -aux
Some tools thet can be used to detect a sniffer are