is there a way that i can detect someone is sniffing packets in my network?
Printable View
is there a way that i can detect someone is sniffing packets in my network?
if the sniffer machine is totally passive and never sends/replies a packet, no.
Sure enough....
Well... depending on how they are setup.
Do you have switches or hubs?
If you use switches "they" must "attack" the switch first to be able to sniff your network. So your switch logs would the first thing to check.
I know there are also some programs out there that send specially crafted packets to detect sniffers if the sniffer runs in promiscuous mode. IIRC one is called Anti-sniffer.
ermm.. i'm just thinking.. i've learnt that i cannot sniff on a switched network.. but ppl say that u can use dsniff to sniff switched network.. it seems like there is not measures to prevent snifers.. so what can i do to detect a sniffer on my LAN?
If you are using switches you could run Arpwatch (http://www.securityfocus.com/tools/142 ) to see if anyone is ARPspoofing on your network My understanding is that there are tools that detect network cards on your network that are in promiscuous mode, but I have not tested them. One such tool is Neped, (http://www.securiteam.com/tools/2GUQ8QAQOU.html )I need to look for some others.
you can sniff a switched network just using a switch option usually called as "port copy". but you need to have access to switch conf to do that.
on most companies that ive audited switch conf password = manufacturer name, like "cisco", "cabletron", etc --- very good admins there :P
btw how do i use dsniff in windows?
what do i put for the interface
I've only used it in linux. Check with these guys: http://www.datanerds.net/~mike/dsniff.html
Ok, I did some more looking around, and it looks like you can use Ettercap-NG to find Slutty network cards. Here is the command:
You can also use another plugin to find ARP poisoners. Get the app from:Code:ettercap -TP search_promisc // //
http://ettercap.sourceforge.net/