[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mostly Apache some Sniffit



On Fri, Mar 12, 1999 at 04:20:44AM +0200, Stanislav Malyshev a.k.a Frodo wrote:
> JOO>> Yes, but with a lap top loaded with a sniffer connected to
> JOO>> your network their is really no way to detect this, or to
> 
> That's what I was saying - there is a way to detect promiscous interfaces
> (read: sniffers) on the network (if it's Linux which is sniffing).
> Something to do with ARP queries and the way Linux handles these queries, 
> IIRC. The rest had escaped my memory - use archives.

The idea being that linux answers ARPs that don't belong to it when in
promiscous mode. Specifically, if you send a TCP packet to the sniffer's
IP, but it has the wrong MAC address on it, you'll get back a RST.

This technique shouldn't be relied on for the following reason:

It depends on a quirk (bug really) of linux's stack implementation. This
means that (a) it doesn't work against other OSes - you won't see a Solaris
running snoop - and (b) it may stop happening in future versions of NET-x
(in fact maybe it already has :-)

BTW, if you need reliable packet capture, use a machine that isn't
participating in the captured traffic. If you need very reliable capture,
don't even use tcpdump.

--
believing is seeing
gaal@forum2.org
http://www.forum2.org/gaal/