[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mostly Apache some Sniffit



gaal@forum2.org writes:

> > There are some techniques for identifying a machine that has its
> > interface  is promiscuous mode (i.e. is running a sniffer).
> > Specifically, since a machine in promiscuous mode is essentially
> > processing every packet on its segment, its response times will
> > differ from other non sniffing machines.
> 
> Nice method. But don't you need a lot of information about the
> machines on the network (what hardware, what load) before you can
> count on this?
> And anyway, sniffers can be passive; they don't need an IP address.

Quite.  But these are special purpose sniffers; I was talking about
detecting a sniffer running on a multipurpose host.  (Something intruders
are more likely to do.)

> > Tcpdump is fine; the OS specific kernel level packet capture gook may
> > not be.
> 
> I admit I haven't gone into libpcap sources, but I should think it
> operates on mbufs already in the stack, not on copies of them.

I'm afraid it doesn't, because neither tcpdump nor libpcap run in kernel
mode.  The OS copies received packets to the tcpdump process.  Now, systems
that have in-kernel BPF can copy only the packets specified by the filter to
tcpdump, so the overhead varies.  Systems without BPF have to copy every
received packet and let libpcap do the filtering in user space.  And then
there are other possible inefficiencies in the way the kernel deals with
promiscuous interfaces; someone here mentioned NFR -- the commercial version
of NFR does not work on a stock BSD system; even that can't keep up with
high bandwidths.

> This
> means that unless you know your stack never "does things" to packets,
> you can't assure they haven't been changed by the time your tcpdump
> sees them. Case in point:
> 
> S is a sniffer on the network.
> A is S's default gateway.
> C is a host on the same network, that has a route saying that S is
>   its default gateway.
> 
> Now ping from C to some host outside the network. Be sure to look
> at the MAC headers.

So what, exactly?  It works as intended unless something is broken.  And the
fact that a sniffer is running on S is irrelevant, btw.