is there a way that i can detect someone is sniffing packets in my network?
Printable View
is there a way that i can detect someone is sniffing packets in my network?
if the sniffer machine is totally passive and never sends/replies a packet, no.
Sure enough....
Well... depending on how they are setup.
Do you have switches or hubs?
If you use switches "they" must "attack" the switch first to be able to sniff your network. So your switch logs would the first thing to check.
I know there are also some programs out there that send specially crafted packets to detect sniffers if the sniffer runs in promiscuous mode. IIRC one is called Anti-sniffer.
ermm.. i'm just thinking.. i've learnt that i cannot sniff on a switched network.. but ppl say that u can use dsniff to sniff switched network.. it seems like there is not measures to prevent snifers.. so what can i do to detect a sniffer on my LAN?
If you are using switches you could run Arpwatch (http://www.securityfocus.com/tools/142 ) to see if anyone is ARPspoofing on your network My understanding is that there are tools that detect network cards on your network that are in promiscuous mode, but I have not tested them. One such tool is Neped, (http://www.securiteam.com/tools/2GUQ8QAQOU.html )I need to look for some others.
you can sniff a switched network just using a switch option usually called as "port copy". but you need to have access to switch conf to do that.
on most companies that ive audited switch conf password = manufacturer name, like "cisco", "cabletron", etc --- very good admins there :P
btw how do i use dsniff in windows?
what do i put for the interface
I've only used it in linux. Check with these guys: http://www.datanerds.net/~mike/dsniff.html
Ok, I did some more looking around, and it looks like you can use Ettercap-NG to find Slutty network cards. Here is the command:
You can also use another plugin to find ARP poisoners. Get the app from:Code:ettercap -TP search_promisc // //
http://ettercap.sourceforge.net/
There are different methods to find sniffers
1. Ping method - by changing the MAC addr2ss.
2. ARP method
3. Revers DNS lookup method
4. Source-route method
explain with more details how, pls.Quote:
Originally posted here by anban
There are different methods to find sniffers
1. Ping method - by changing the MAC addr2ss.
2. ARP method
3. Revers DNS lookup method
4. Source-route method
search google or visit sans.org
The key is that a network card is usually in promiscuous mode in order to sniff a network or network segment. It doesn't _require_ an IP to do this. If it is in a switched network, the sniffer will only see that traffic that passes by its own port. If the switched network is reasonably secured (config passwords on switches hardened (been there, done that)) that will be as far as the sniffer can go.
To detect a sniffer in promiscuous mode, you will likely have to run your detection tool in the same segment (maybe even on the same switch) as the suspected sniffer. If the sniffer is a trojan-based tool and riding on one of your systems, you should be able to ID the system using the ARP method in the same segment. If the sniffer is a dual-homed laptop plugged into an open network port in your building, you are probably more likely to find it by "war-walking"--walking around and looking. Carry a big stick or bring a big security guard.
I've used dsniff, and haven't been able to sniff past the switched segment in my environment.
If you want to use WindowXP as your Sniffer platform, you install a WinPcap library (freely available), then install WinDump and Ethereal. On mine, I wrote a simple script that fires a windump command line every five minutes to capture about 30,000 packets on the sluty port, and gives the resulting capture a random file name in a specific folder. Since I am in a switched network, and the switches are hardened, I must needs have a way to look at the router traffic. Therefore, I have a mirror port on the router that sees all, knows all ...
With WinXP, you need all the resources possible when sniffing a large pipe. So, strip down the OS as best you can. Remove anything not absolutely needed, then add the tools above. You can find the tool websites by Google-ing the words.
i found that too.. i have already downloaded but i just simply cant find the doc like how to run the program..Quote:
Originally posted here by Irongeek
I've only used it in linux. Check with these guys: http://www.datanerds.net/~mike/dsniff.html
Both are command line tools right? I would think it's the same in both linux and windows. There is a man page for Dsniff here:
http://www.zevils.com/cgi-bin/man/man2html?dsniff+8
why does ARP has the capability to sniff on a switched network?Quote:
Originally posted here by rapier57
The key is that a network card is usually in promiscuous mode in order to sniff a network or network segment. It doesn't _require_ an IP to do this. If it is in a switched network, the sniffer will only see that traffic that passes by its own port. If the switched network is reasonably secured (config passwords on switches hardened (been there, done that)) that will be as far as the sniffer can go.
To detect a sniffer in promiscuous mode, you will likely have to run your detection tool in the same segment (maybe even on the same switch) as the suspected sniffer. If the sniffer is a trojan-based tool and riding on one of your systems, you should be able to ID the system using the ARP method in the same segment. If the sniffer is a dual-homed laptop plugged into an open network port in your building, you are probably more likely to find it by "war-walking"--walking around and looking. Carry a big stick or bring a big security guard.
I've used dsniff, and haven't been able to sniff past the switched segment in my environment.
If you want to use WindowXP as your Sniffer platform, you install a WinPcap library (freely available), then install WinDump and Ethereal. On mine, I wrote a simple script that fires a windump command line every five minutes to capture about 30,000 packets on the sluty port, and gives the resulting capture a random file name in a specific folder. Since I am in a switched network, and the switches are hardened, I must needs have a way to look at the router traffic. Therefore, I have a mirror port on the router that sees all, knows all ...
With WinXP, you need all the resources possible when sniffing a large pipe. So, strip down the OS as best you can. Remove anything not absolutely needed, then add the tools above. You can find the tool websites by Google-ing the words.
what is the logic behind?
i have tried ethereal but not windump.. ethereal simply gave me the broadcasted packets.. that's why i am looking into dsniff.. but so far i cannot find doc on how to run the program...
Dsniff comes with another program called Arpspoof. You can fine more info about arpspoofing here:
http://www.irongeek.com/i.php?page=security/arpspoof
ARP can resolve the MAC of a sniffing NIC if you have the originating IP. This helps when you have to hunt down a system on a network where DHCP is given out to any system that connects, or trying to nail down someone who has co-opted one of your precious IP numbers without authorization.
As for WinDump, it does a command line sniff of the slutty port, and dumps the results into a log file. Ethereal reads those files so you don't have to try to run Ethereal as a sniffer directly (not a fun project). I use WinDump on the sniffer (dual ported box). and run Ethereal on my workstation. Map a share to the folder where winDump drops the log files, copy the ones you want to use to your workstation, run Ethereal and open the subject file.
You can build filters and such in Ethereal to help analyze the results of the sniffs and identify certain activity. It will also show you what is encrypted and what is not.
Honestly, Ethereal is a very nice program. It runs just fine as a sniffer in a small network, on a stripped down WinXP box. I have WinDump grabbing packets off of a very large pipe. So, using Ethereal directly would not work well at all, too many dropped packets. The 30k packet sniff works well and gives me about a 2 to 3 mb file to examine. The 5 minute frequency is enough to capture the character of a point in time based on our MRTG graph