[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mostly Apache some Sniffit
> JOO>> Yes, but with a lap top loaded with a sniffer connected to
> JOO>> your network their is really no way to detect this, or to
>
> That's what I was saying - there is a way to detect promiscous interfaces
> (read: sniffers) on the network (if it's Linux which is sniffing).
> Something to do with ARP queries and the way Linux handles these queries,
> IIRC. The rest had escaped my memory - use archives.
You are so correct. Here is an excerpt from the "Network Packet Capture
FAQ":
For SunOs, NetBSD, and other possible BSD derived Unix systems, there is
a command
"ifconfig -a"
that will tell you information about all the interfaces and if they are
in promiscuous mode. DEC OSF/1 and
IRIX and possible other OSes require the device to be specified. One way
to find out what interface is on
the system, you can execute:
# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Interface
default iss.net UG 1 24949 le0
localhost localhost UH 2 83 lo0
Then you can test for each interface by doing the following command:
#ifconfig le0
le0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST>
inet 127.0.0.1 netmask 0xffffff00 broadcast 255.0.0.1
Intruders often replace commands such as ifconfig to avoid detection.
Make sure you verify its checksum.
The URL is:
http://www.iss.net/vd/packcapt.html#what