[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mostly Apache some Sniffit



On Sun, Mar 14, 1999 at 06:17:42PM +0200, Adam Morrison wrote:

[my description of ARP behaviour snipped]

> There are some techniques for identifying a machine that has its
> interface  is promiscuous mode (i.e. is running a sniffer).
> Specifically, since a machine in promiscuous mode is essentially
> processing every packet on its segment, its response times will
> differ from other non sniffing machines.

Nice method. But don't you need a lot of information about the
machines on the network (what hardware, what load) before you can
count on this?

And anyway, sniffers can be passive; they don't need an IP address.

> There's nothing Linux specific about these techniques and they are much
> harder to evade.
> 
> > BTW, if you need reliable packet capture, use a machine that isn't
> > participating in the captured traffic. If you need very reliable capture,
> > don't even use tcpdump.
> 
> Tcpdump is fine; the OS specific kernel level packet capture gook may
> not be.

I admit I haven't gone into libpcap sources, but I should think it
operates on mbufs already in the stack, not on copies of them. This
means that unless you know your stack never "does things" to packets,
you can't assure they haven't been changed by the time your tcpdump
sees them. Case in point:

S is a sniffer on the network.
A is S's default gateway.
C is a host on the same network, that has a route saying that S is
  its default gateway.

Now ping from C to some host outside the network. Be sure to look
at the MAC headers.

This may have all sorts of "interesting" implications.

Gaal