Great Circle Associates Firewalls
(October 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Sniffer detection.
From: Gene Lee <genel @ inforamp . net>
Organization: Me, Incorporated
Date: Mon, 07 Oct 1996 14:02:01 -0400
To: Bradley Smith <brads @ access . digex . net>
Cc: Esakov Dmitriy <esakov @ relcom . eu . net>, firewalls @ GreatCircle . COM
References: <Pine . SUN . 3 . 94 . 961007145712 . 4612A-100000 @ access1 . digex . net>

Bradley Smith wrote:
> I used to do something very basic for this.  There are several code
> snippets available to get interface values (i.e. cpm, ifstatus).  I'd run
> these from cron, mail results to file, tail file with swatch and look for
> a lexical string indicating the interface was in prom (sp) mode.
> 
> If the status code returned indicated a "sniffer," I'd mail the results to
> my pager and shut the interface down.  You could get even more creative
> than this with netstats, reverse finger, etc..

This is fine for unix machines which you have administative control
over, but what about a rogue PC notebook running DataGlance or LANAlyzer
inserted into your Ethernet network somewhere on the wire? Also keep in
mind some NICs are custom built to not broadcast the fact that they are
in promiscuous mode. The only way to detect something like this would be
to physically check each interface connected to your network.

--
Gene Lee
genel @
 inforamp .
 net
genelee @
 vnet .
 ibm .
 com


Follow-Ups:
References:
Indexed By Date Previous: Re: Sniffer detection.
From: Gene Lee <genel @ inforamp . net>
Next: Re: Financial transactions and firewalls.
From: carson @ lehman . com
Indexed By Thread Previous: Re: Sniffer detection.
From: Bradley Smith <brads @ access . digex . net>
Next: Re: Sniffer detection.
From: Bradley Smith <brads @ access . digex . net>

Google
 
Search Internet Search www.greatcircle.com