Detecting Sniffers on Your Network
Detecting Sniffers on Your Network
– cpm (Check Promiscuous Mode)
– ifstatus
Sniffers are typically passive programs
• They put the network interface in promiscuous mode and
listen for traffic
• They can be detected by programs such as:
– ifconfig
• They put the network interface in promiscuous mode and
listen for traffic
• They can be detected by programs such as:
– ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:4B:E2:F6:4C inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1016 errors:0 dropped:0 overruns:0 frame:0 TX packets:209 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100
– cpm (Check Promiscuous Mode)
– ifstatus
Suspicious DNS lookups
– Sniffer attempts to resolve names associated with IP addresses (may
be part of normal operation)
– Trap: generate connection from fake IP address not in local netw ork
and detect attempt to resolve name
• Latency
– Use ping to analyze response time of host A
– Generate huge amount of traffic to other hosts and analyze response
time of host A
Kernel behavior
– Linux
• When in promiscuous mode, some kernels will accept a packet that has
the wrong Ethernet address but the right destination IP address
0 comments:
Post a Comment