Results 1 to 2 of 2

Thread: Sniffer

  1. #1
    Join Date
    Jan 2003


    How do i Detect whether a sniffer program is running on my network

  2. #2
    Senior Member
    Join Date
    Nov 2003
    U havent mentioned what kind of network u have. these are some techniques that can be employed

    Ping Method

    Send a ping packet to the IP address of the computer but not to its network adapter. E.g . if the ip add. of the suspect is and MAC add. Is 00-40-05-A4-79-32 and u are on the same Ethernet segment as the suspect comp. Send the packet after changing the MAC add. To 00-40-05-A4-39 in the routing table. Now each comp in the the network will check the packet destination MAC add. With its own and ignore because it does not matches its own. However I u get a response then some one if ignoring the MAC address filter and accepting all the packets. This method can be employed on switched and bridged networks

    ARP method

    In ARP method an ARP packet is used instead of ping packets. U can send a ARP packet to a non-broadcast address. If any comp on the network responds to the ARP packet then it must be in promiscuous mode.

    Reverse DNS Lookup Method

    The DNS lookup can be employed remotely as well locally. If u need to perform DNS lookups remotely u ned to monitor incoming inverse DNS lookups on the DNS server of uír org. to monitor an incoming inverse DNS lookup, u can send a ping command to all the compís in uír org. for which IP address do not exists. Any comp on the network that is performing reverse DNS lookups on these IP addresses is probably running a sniffer program..

    Source Route Method

    (I am taking that know what source routing is). This method is effective on small/nearby networks. Say there are 3 comps A,B,C on the same network segment and routing has been disabled on comp B. now configure a message to comp c such that it reaches C through B . if C still responds it means it has sniffed the packet through Ethernet wire .

    But to detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually if its running in apromicious mode with the help of commands such as iconfig -a, ps -aux

    Some tools thet can be used to detect a sniffer are

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts