[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mostly Apache some Sniffit



Gaal Yahas writes:

> > That's what I was saying - there is a way to detect promiscous interfaces
> > (read: sniffers) on the network (if it's Linux which is sniffing).
> > Something to do with ARP queries and the way Linux handles these queries, 
> > IIRC. The rest had escaped my memory - use archives.
>
> The idea being that linux answers ARPs that don't belong to it when in
> promiscous mode. Specifically, if you send a TCP packet to the sniffer's
> IP, but it has the wrong MAC address on it, you'll get back a RST.
> 
> This technique shouldn't be relied on for the following reason:

There are some techniques for identifying a machine that has its
interface
is promiscuous mode (i.e. is running a sniffer).  Specifically, since a
machine in promiscuous mode is essentially processing every packet on
its
segment, its response times will differ from other non sniffing
machines.

There's nothing Linux specific about these techniques and they are much
harder to evade.

> BTW, if you need reliable packet capture, use a machine that isn't
> participating in the captured traffic. If you need very reliable capture,
> don't even use tcpdump.

Tcpdump is fine; the OS specific kernel level packet capture gook may
not be.