[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mostly Apache some Sniffit
On Fri, Mar 12, 1999 at 04:20:44AM +0200, Stanislav Malyshev a.k.a Frodo wrote:
> JOO>> Yes, but with a lap top loaded with a sniffer connected to
> JOO>> your network their is really no way to detect this, or to
>
> That's what I was saying - there is a way to detect promiscous interfaces
> (read: sniffers) on the network (if it's Linux which is sniffing).
> Something to do with ARP queries and the way Linux handles these queries,
> IIRC. The rest had escaped my memory - use archives.
The idea being that linux answers ARPs that don't belong to it when in
promiscous mode. Specifically, if you send a TCP packet to the sniffer's
IP, but it has the wrong MAC address on it, you'll get back a RST.
This technique shouldn't be relied on for the following reason:
It depends on a quirk (bug really) of linux's stack implementation. This
means that (a) it doesn't work against other OSes - you won't see a Solaris
running snoop - and (b) it may stop happening in future versions of NET-x
(in fact maybe it already has :-)
BTW, if you need reliable packet capture, use a machine that isn't
participating in the captured traffic. If you need very reliable capture,
don't even use tcpdump.
--
believing is seeing
gaal@forum2.org
http://www.forum2.org/gaal/