[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mostly Apache some Sniffit



> JOO>> Yes, but with a lap top loaded with a sniffer connected to
> JOO>> your network their is really no way to detect this, or to
>
> That's what I was saying - there is a way to detect promiscous interfaces
> (read: sniffers) on the network (if it's Linux which is sniffing).
> Something to do with ARP queries and the way Linux handles these queries,
> IIRC. The rest had escaped my memory - use archives.

You are so correct.  Here is an excerpt from the "Network Packet Capture
FAQ":

    For SunOs, NetBSD, and other possible BSD derived Unix systems, there is
a   command

      "ifconfig -a"

     that will tell you information about all the interfaces and if they are
in promiscuous mode. DEC OSF/1 and
     IRIX and possible other OSes require the device to be specified. One way
to find out what interface is on
     the system, you can execute:

      # netstat -r
      Routing tables
      Internet:
      Destination      Gateway            Flags     Refs     Use  Interface
      default          iss.net            UG          1    24949  le0
      localhost        localhost          UH          2       83  lo0

     Then you can test for each interface by doing the following command:

      #ifconfig le0
      le0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST>
              inet 127.0.0.1 netmask 0xffffff00 broadcast 255.0.0.1


     Intruders often replace commands such as ifconfig to avoid detection.
Make sure you verify its checksum.

The URL is:

   http://www.iss.net/vd/packcapt.html#what