Page 1 of 2 12 LastLast
Results 1 to 20 of 30

Thread: Determining the presence of wireshark

  1. #1
    Karthik Balaguru
    Guest

    Determining the presence of wireshark

    Hi,
    How to determine the presence of wireshark in a network ?
    Are there any specific packet types exchanged while it
    is present in the network so that it can be used to determine
    its presence in the network . Any tool to identify its presence
    in either Windows or Linux ? Any ideas ?

    Thx in advans,
    Karthik Balaguru

  2. #2
    Jeff Liebermann
    Guest

    Re: Determining the presence of wireshark

    On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
    <karthikbalaguru79@gmail.com> wrote:

    >How to determine the presence of wireshark in a network ?


    Look for NIC cards and wireless devices running in promiscuous mode.

    >Are there any specific packet types exchanged while it
    >is present in the network so that it can be used to determine
    >its presence in the network .


    No. A sniffer is totally passive.

    >Any tool to identify its presence
    >in either Windows or Linux ? Any ideas ?


    AntiSniff:
    <http://www.nmrc.org/pub/review/antisniff-b2.html>
    You may have trouble finding this one.

    PromqryUI in DOS and Windowfied versions:
    <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en>
    <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en>
    Only works for detecting sniffers running on a Windoze system. I
    haven't been able to detect DOS, Linux, or Mac sniffers with these
    tools.

    I've also noticed that most casual users of sniffers running on
    laptops like to boot their operating system before firing up their
    sniffers. The laptop will usually belch a few DHCP broadcasts and ARP
    requests before disappearing into promiscuous mode. These initial
    packets can be detected with ArpWatch:
    <http://24h.atspace.com/it/security/arpwatch.htm>

    The problem is not identifying the presence of the sniffer, it's
    identifying which machine is actually doing the sniffing. The MAC
    address is a clue, but given the ease of MAC address spoofing, that
    information is often useless. Even if I delivered the MAC address on
    a silver platter, identifying which one of the potentially hundreds of
    similar computers in the room or building might be difficult.

    --
    Jeff Liebermann jeffl@cruzio.com
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558

  3. #3
    Bob
    Guest

    Re: Determining the presence of wireshark

    On 09/03/2010 17:40, Jeff Liebermann wrote:

    >
    > PromqryUI in DOS and Windowfied versions:
    > <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en>
    > <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en>
    > Only works for detecting sniffers running on a Windoze system. I
    > haven't been able to detect DOS, Linux, or Mac sniffers with these
    > tools.


    Have you tried SNAT? I noticed it on YouTube last week.
    <http://www.snat-project.com/documentation.html>



  4. #4
    Rick Jones
    Guest

    Re: Determining the presence of wireshark

    In comp.os.linux.networking Bob <bob@invalid.invalid> wrote:
    > Have you tried SNAT? I noticed it on YouTube last week.
    > <http://www.snat-project.com/documentation.html>


    I'm not sure how robust this:

    This action is the one I really like. With the help of it you can
    check if a host on your network is running a sniffer (well,
    technically your checking if the NIC of that host is running in
    promiscuous mode). The idea behind this is to use an arp request
    with a forged destination address. First all of let me explain
    what is a promiscuous and a normal mode for the NIC. In the first
    one the network card simply picks up all of the packets (even
    those that are not directed to it), the second mode only picks up
    the packets that are directed to it and drops any other
    packets. But, all networks cards that work in normal mode will
    pick up a packet with the destination address equal
    FF:FF:FF:FF:FF:FF (broadcast). So where is the trick ? In a
    network with all NICs working in a normal mode if you send an arp
    request with the destination address = FF:FF:FF:FF:FF:FE none of
    the cards will reply. All of them will simply drop it. But when a
    card works in promiscuous mode it will pick up that packets
    (remember that it picks up all the packets regardless) and reply
    to the request. So when you get a reply from a host after sending
    such forged packet it means that the NIC is working in the promisc
    mode , so probably a network sniffer is running on that
    machine. Let me demonstrate it for you. I'm 192.168.1.6 and the
    host I want to check is 192.168.1.8 As usual go to the directory
    where you have snat.jar and execute the command (if you have any
    problems go here) :

    will be. First, I suppose that 99 times out of 10 a host responding
    to that MAC address will be in promiscuous mode, but since the group
    bit is set... And I would think all it takes is a small change to the
    ARP code to verify that the destination MAC was a full broadcast...

    The upshot is it is probably best to ass-u-me that unless you have
    complete physical control of your network - all the wires, all the
    ports, no wireless - that someone is listening.

    rick jones
    --
    oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
    these opinions are mine, all mine; HP might not want them anyway... :)
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  5. #5
    DanS
    Guest

    Re: Determining the presence of wireshark

    Rick Jones <rick.jones2@hp.com> wrote in news:hn66ht$h7r$2
    @usenet01.boi.hp.com:

    > In comp.os.linux.networking Bob <bob@invalid.invalid> wrote:
    >> Have you tried SNAT? I noticed it on YouTube last week.
    >> <http://www.snat-project.com/documentation.html>

    >
    > I'm not sure how robust this:
    >
    > This action is the one I really like. With the help of it you can
    > check if a host on your network is running a sniffer (well,


    <SNIP>

    > host I want to check is 192.168.1.8 As usual go to the directory
    > where you have snat.jar and execute the command (if you have any
    > problems go here) :
    >
    > will be. First, I suppose that 99 times out of 10 a host responding
    > to that MAC address will be in promiscuous mode, but since the group
    > bit is set... And I would think all it takes is a small change to the
    > ARP code to verify that the destination MAC was a full broadcast...


    Is this supposedly for Windows, Linux, OSX, BSD, etc ?

    I'm sure it's OS specific. For instance, a Windows box will not reply to a
    broadcast ping, but a Linux box will.

  6. #6
    Pascal Hambourg
    Guest

    Re: Determining the presence of wireshark

    Hello,

    DanS a écrit :
    >
    > I'm sure it's OS specific. For instance, a Windows box will not reply to a
    > broadcast ping, but a Linux box will.


    Linux reply to a broadcast ping has been disabled by default since
    version 2.6.14 (sysctl net.ipv4.icmp_echo_ignore_broadcasts=1 by default).

  7. #7
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o.m>
    wrote:
    > Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
    > @usenet01.boi.hp.com:
    >
    > > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
    > >> Have you tried SNAT? I noticed it on YouTube last week.
    > >> <http://www.snat-project.com/documentation.html>

    >
    > > I'm not sure how robust this:

    >
    > > * * This action is the one I really like. With the help of it you can
    > > * * check if a host on your network is running a sniffer (well,

    >
    > <SNIP>
    >
    > > * * host I want to check is 192.168.1.8 As usual go to the directory
    > > * * where you have snat.jar and execute the command (if you have any
    > > * * problems go here) :

    >
    > > will be. *First, I suppose that 99 times out of 10 a host responding
    > > to that MAC address will be in promiscuous mode, but since the group
    > > bit is set... *And I would think all it takes is a small change to the
    > > ARP code to verify that the destination MAC was a full broadcast...

    >
    > Is this supposedly for Windows, Linux, OSX, BSD, etc ?
    >
    > I'm sure it's OS specific. For instance, a Windows box will not reply to a
    > broadcast ping, but a Linux box will.


    But why Windows box does not reply to the broadcast ping :-( whereas
    the Linux box replies to the broadcast ping ? That is,
    any specific reasons for not being supported in Windows and for
    being supported in Linux ?

    Thx in advans,
    Karthik Balaguru

  8. #8
    Stephen
    Guest

    Re: Determining the presence of wireshark

    On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru
    <karthikbalaguru79@gmail.com> wrote:

    >On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o.m>
    >wrote:
    >> Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
    >> @usenet01.boi.hp.com:
    >>
    >> > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
    >> >> Have you tried SNAT? I noticed it on YouTube last week.
    >> >> <http://www.snat-project.com/documentation.html>

    >>
    >> > I'm not sure how robust this:

    >>
    >> > * * This action is the one I really like. With the help of it you can
    >> > * * check if a host on your network is running a sniffer (well,

    >>
    >> <SNIP>
    >>
    >> > * * host I want to check is 192.168.1.8 As usual go to the directory
    >> > * * where you have snat.jar and execute the command (if you have any
    >> > * * problems go here) :

    >>
    >> > will be. *First, I suppose that 99 times out of 10 a host responding
    >> > to that MAC address will be in promiscuous mode, but since the group
    >> > bit is set... *And I would think all it takes is a small change to the
    >> > ARP code to verify that the destination MAC was a full broadcast...

    >>
    >> Is this supposedly for Windows, Linux, OSX, BSD, etc ?
    >>
    >> I'm sure it's OS specific. For instance, a Windows box will not reply to a
    >> broadcast ping, but a Linux box will.

    >
    >But why Windows box does not reply to the broadcast ping :-( whereas
    >the Linux box replies to the broadcast ping ? That is,
    >any specific reasons for not being supported in Windows and for
    >being supported in Linux ?


    i seem to remember using broadcast ping to populate ARP tables on a
    router to hunt used IP addresses, so i am not sure this is right.

    i think that it may be more about the sender, not the reciever.

    if i ping the local LAN s/net on my w2000 PC - no response and nothing
    changes in the arp table (arp -a)

    do the same on a win7 PC and i get a response, and the arp table gets
    some added entries - some of the entries are w2k and xp boxes.....

    the win7 box has static ARP entries installed for the IP local
    broadcast address and network broadcast (this seems to be part of the
    default interface settings).
    Adding the same statics on the w2k box doesnt change anything.

    i cannot run up wireshark to check any further right now - but it sure
    looks like the apparent lack of response to broadcast ping might be at
    the Windows sender, not the responder.
    >
    >Thx in advans,
    >Karthik Balaguru

    --
    Regards

    stephen_hope@xyzworld.com - replace xyz with ntl

  9. #9
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 15, 12:13*am, Stephen <stephen_h...@xyzworld.com> wrote:
    > On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru
    >
    >
    >
    >
    >
    > <karthikbalagur...@gmail.com> wrote:
    > >On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o.m>
    > >wrote:
    > >> Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
    > >> @usenet01.boi.hp.com:

    >
    > >> > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
    > >> >> Have you tried SNAT? I noticed it on YouTube last week.
    > >> >> <http://www.snat-project.com/documentation.html>

    >
    > >> > I'm not sure how robust this:

    >
    > >> > * * This action is the one I really like. With the help of it you can
    > >> > * * check if a host on your network is running a sniffer (well,

    >
    > >> <SNIP>

    >
    > >> > * * host I want to check is 192.168.1.8 As usual go to the directory
    > >> > * * where you have snat.jar and execute the command (if you haveany
    > >> > * * problems go here) :

    >
    > >> > will be. *First, I suppose that 99 times out of 10 a host responding
    > >> > to that MAC address will be in promiscuous mode, but since the group
    > >> > bit is set... *And I would think all it takes is a small change tothe
    > >> > ARP code to verify that the destination MAC was a full broadcast...

    >
    > >> Is this supposedly for Windows, Linux, OSX, BSD, etc ?

    >
    > >> I'm sure it's OS specific. For instance, a Windows box will not reply to a
    > >> broadcast ping, but a Linux box will.

    >
    > >But why Windows box does not reply to the broadcast ping :-( whereas
    > >the Linux box replies to the broadcast ping ? *That is,
    > >any specific reasons for not being supported in Windows and for
    > >being supported in Linux ?

    >
    > i seem to remember using broadcast ping to populate ARP tables on a
    > router to hunt used IP addresses, so i am not sure this is right.
    >
    > i think that it may be more about the sender, not the reciever.
    >
    > if i ping the local LAN s/net on my w2000 PC - no response and nothing
    > changes in the arp table (arp -a)
    >
    > do the same on a win7 PC and i get a response, and the arp table gets
    > some added entries - some of the entries are w2k and xp boxes.....
    >
    > the win7 box has static ARP entries installed for the IP local
    > broadcast address and network broadcast (this seems to be part of the
    > default interface settings).
    > Adding the same statics on the w2k box doesnt change anything.
    >
    > i cannot run up wireshark to check any further right now - but it sure
    > looks like the apparent lack of response to broadcast ping might be at
    > the Windows sender, not the responder.
    >


    On similar lines, i came across an info that states that due to
    a weakness in Linux TCP/IP implementation , it will answer to
    TCP/IP packets sent to its IP address even if the MAC address
    on that packet is wrong while in promiscuous mode.
    But, it seems that the standard behavior is that it will not be
    answered because the network interface will drop them as it
    is containing wrong MAC address .

    I am eager to know Why is the linux implementation different
    from that of the standard implementation ? Is it good or bad ?

    Thx in advans,
    Karthik Balaguru

  10. #10
    Stephen
    Guest

    Re: Determining the presence of wireshark

    On Tue, 16 Mar 2010 09:39:30 -0700 (PDT), Karthik Balaguru
    <karthikbalaguru79@gmail.com> wrote:

    >On Mar 15, 12:13*am, Stephen <stephen_h...@xyzworld.com> wrote:
    >> On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru
    >>
    >>
    >>
    >>
    >>
    >> <karthikbalagur...@gmail.com> wrote:
    >> >On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o.m>
    >> >wrote:
    >> >> Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
    >> >> @usenet01.boi.hp.com:

    >>
    >> >> > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
    >> >> >> Have you tried SNAT? I noticed it on YouTube last week.
    >> >> >> <http://www.snat-project.com/documentation.html>

    >>
    >> >> > I'm not sure how robust this:

    >>
    >> >> > * * This action is the one I really like. With the help of it you can
    >> >> > * * check if a host on your network is running a sniffer (well,

    >>
    >> >> <SNIP>

    >>
    >> >> > * * host I want to check is 192.168.1.8 As usual go to the directory
    >> >> > * * where you have snat.jar and execute the command (if you have any
    >> >> > * * problems go here) :

    >>
    >> >> > will be. *First, I suppose that 99 times out of 10 a host responding
    >> >> > to that MAC address will be in promiscuous mode, but since the group
    >> >> > bit is set... *And I would think all it takes is a small change to the
    >> >> > ARP code to verify that the destination MAC was a full broadcast...

    >>
    >> >> Is this supposedly for Windows, Linux, OSX, BSD, etc ?

    >>
    >> >> I'm sure it's OS specific. For instance, a Windows box will not reply to a
    >> >> broadcast ping, but a Linux box will.

    >>
    >> >But why Windows box does not reply to the broadcast ping :-( whereas
    >> >the Linux box replies to the broadcast ping ? *That is,
    >> >any specific reasons for not being supported in Windows and for
    >> >being supported in Linux ?

    >>
    >> i seem to remember using broadcast ping to populate ARP tables on a
    >> router to hunt used IP addresses, so i am not sure this is right.
    >>
    >> i think that it may be more about the sender, not the reciever.
    >>
    >> if i ping the local LAN s/net on my w2000 PC - no response and nothing
    >> changes in the arp table (arp -a)
    >>
    >> do the same on a win7 PC and i get a response, and the arp table gets
    >> some added entries - some of the entries are w2k and xp boxes.....
    >>
    >> the win7 box has static ARP entries installed for the IP local
    >> broadcast address and network broadcast (this seems to be part of the
    >> default interface settings).
    >> Adding the same statics on the w2k box doesnt change anything.
    >>
    >> i cannot run up wireshark to check any further right now - but it sure
    >> looks like the apparent lack of response to broadcast ping might be at
    >> the Windows sender, not the responder.
    >>

    >
    >On similar lines, i came across an info that states that due to
    >a weakness in Linux TCP/IP implementation , it will answer to
    >TCP/IP packets sent to its IP address even if the MAC address
    >on that packet is wrong while in promiscuous mode.
    >But, it seems that the standard behavior is that it will not be
    >answered because the network interface will drop them as it
    >is containing wrong MAC address .
    >
    >I am eager to know Why is the linux implementation different
    >from that of the standard implementation ? Is it good or bad ?
    >

    it probably comes down to implementation issues.

    FWIW responding to broadcasts is like many things - useful but can be
    dangerous to network stability in some setups.

    there are standards that covers a lot of this stuff.....

    RFC 1122 is for host requirements - section 3.2 says a fair bit about
    handling broadcasts.

    >Thx in advans,
    >Karthik Balaguru

    --
    Regards

    stephen_hope@xyzworld.com - replace xyz with ntl

  11. #11
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 17, 2:09*am, Stephen <stephen_h...@xyzworld.com> wrote:
    > On Tue, 16 Mar 2010 09:39:30 -0700 (PDT), Karthik Balaguru
    >
    >
    >
    >
    >
    > <karthikbalagur...@gmail.com> wrote:
    > >On Mar 15, 12:13*am, Stephen <stephen_h...@xyzworld.com> wrote:
    > >> On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru

    >
    > >> <karthikbalagur...@gmail.com> wrote:
    > >> >On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o..m>
    > >> >wrote:
    > >> >> Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
    > >> >> @usenet01.boi.hp.com:

    >
    > >> >> > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
    > >> >> >> Have you tried SNAT? I noticed it on YouTube last week.
    > >> >> >> <http://www.snat-project.com/documentation.html>

    >
    > >> >> > I'm not sure how robust this:

    >
    > >> >> > * * This action is the one I really like. With the help of ityou can
    > >> >> > * * check if a host on your network is running a sniffer (well,

    >
    > >> >> <SNIP>

    >
    > >> >> > * * host I want to check is 192.168.1.8 As usual go to the directory
    > >> >> > * * where you have snat.jar and execute the command (if you have any
    > >> >> > * * problems go here) :

    >
    > >> >> > will be. *First, I suppose that 99 times out of 10 a host responding
    > >> >> > to that MAC address will be in promiscuous mode, but since the group
    > >> >> > bit is set... *And I would think all it takes is a small changeto the
    > >> >> > ARP code to verify that the destination MAC was a full broadcast....

    >
    > >> >> Is this supposedly for Windows, Linux, OSX, BSD, etc ?

    >
    > >> >> I'm sure it's OS specific. For instance, a Windows box will not reply to a
    > >> >> broadcast ping, but a Linux box will.

    >
    > >> >But why Windows box does not reply to the broadcast ping :-( whereas
    > >> >the Linux box replies to the broadcast ping ? *That is,
    > >> >any specific reasons for not being supported in Windows and for
    > >> >being supported in Linux ?

    >
    > >> i seem to remember using broadcast ping to populate ARP tables on a
    > >> router to hunt used IP addresses, so i am not sure this is right.

    >
    > >> i think that it may be more about the sender, not the reciever.

    >
    > >> if i ping the local LAN s/net on my w2000 PC - no response and nothing
    > >> changes in the arp table (arp -a)

    >
    > >> do the same on a win7 PC and i get a response, and the arp table gets
    > >> some added entries - some of the entries are w2k and xp boxes.....

    >
    > >> the win7 box has static ARP entries installed for the IP local
    > >> broadcast address and network broadcast (this seems to be part of the
    > >> default interface settings).
    > >> Adding the same statics on the w2k box doesnt change anything.

    >
    > >> i cannot run up wireshark to check any further right now - but it sure
    > >> looks like the apparent lack of response to broadcast ping might be at
    > >> the Windows sender, not the responder.

    >
    > >On similar lines, i came across an info that states that due to
    > >a weakness in Linux TCP/IP implementation , it will answer to
    > >TCP/IP packets sent to its IP address even if the MAC address
    > >on that packet is wrong while in promiscuous mode.
    > >But, it seems that the standard behavior is that it will not be
    > >answered because the network interface will drop them as it
    > >is containing wrong MAC address .

    >
    > >I am eager to know Why is the linux implementation different
    > >from that of the standard implementation ? Is it good or bad ?

    >
    > it probably comes down to implementation issues.
    >
    > FWIW responding to broadcasts is like many things - useful but can be
    > dangerous to network stability in some setups.
    >
    > there are standards that covers a lot of this stuff.....
    >
    > RFC 1122 is for host requirements - section 3.2 says a fair bit about
    > handling broadcasts.
    >


    Thx for the RFC. The RFC 1122 does talk about handling broadcasts.
    I found the section 3.3.6 very interesting. But, i wonder why do
    implementations vary between windows and linux :(

    Karthik Balaguru

  12. #12
    alexd
    Guest

    Re: Determining the presence of wireshark

    On 18/03/10 17:44, Karthik Balaguru wrote:

    > Thx for the RFC. The RFC 1122 does talk about handling broadcasts.
    > I found the section 3.3.6 very interesting. But, i wonder why do
    > implementations vary between windows and linux :(


    Well if implementations didn't vary, then there'd be no need for
    standards and committees, would there?

    --
    <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
    17:43:32 up 43 days, 17:47, 3 users, load average: 0.02, 0.11, 0.14
    It is better to have been wasted and then sober
    than to never have been wasted at all

  13. #13
    PaulusJrLz
    Guest

    Re: Determining the presence of wireshark

    On Mar 9, 11:27*pm, Karthik Balaguru <karthikbalagur...@gmail.com>
    wrote:
    > Hi,
    > How to determine the presence of wireshark in a network ?
    > Are there any specific packet types exchanged while it
    > is present in the network so that it can be used to determine
    > its presence in the network . Any tool to identify its presence
    > in either Windows or Linux ? Any ideas ?
    >
    > Thx in advans,
    > Karthik Balaguru


    One indicator of sniffer activity is a lot of DNS requests from the
    sniffer.
    This detection is not always effective, since sniffer's DNS resolution
    can be turned off.

    Junior Lazuardi

  14. #14
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 19, 10:44*pm, alexd <troffa...@hotmail.com> wrote:
    > On 18/03/10 17:44, Karthik Balaguru wrote:
    >
    > > Thx for the RFC. The RFC 1122 does talk about handling broadcasts.
    > > I found the section 3.3.6 very interesting. But, i wonder why do
    > > implementations vary between windows and linux :(

    >
    > Well if implementations didn't vary, then there'd be no need for
    > standards and committees, would there?
    >


    :-)

    Karthik Balaguru

  15. #15
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 17, 2:09*am, Stephen <stephen_h...@xyzworld.com> wrote:
    > On Tue, 16 Mar 2010 09:39:30 -0700 (PDT), Karthik Balaguru
    >
    >
    >
    >
    >
    > <karthikbalagur...@gmail.com> wrote:
    > >On Mar 15, 12:13*am, Stephen <stephen_h...@xyzworld.com> wrote:
    > >> On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru

    >
    > >> <karthikbalagur...@gmail.com> wrote:
    > >> >On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o..m>
    > >> >wrote:
    > >> >> Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
    > >> >> @usenet01.boi.hp.com:

    >
    > >> >> > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
    > >> >> >> Have you tried SNAT? I noticed it on YouTube last week.
    > >> >> >> <http://www.snat-project.com/documentation.html>

    >
    > >> >> > I'm not sure how robust this:

    >
    > >> >> > * * This action is the one I really like. With the help of ityou can
    > >> >> > * * check if a host on your network is running a sniffer (well,

    >
    > >> >> <SNIP>

    >
    > >> >> > * * host I want to check is 192.168.1.8 As usual go to the directory
    > >> >> > * * where you have snat.jar and execute the command (if you have any
    > >> >> > * * problems go here) :

    >
    > >> >> > will be. *First, I suppose that 99 times out of 10 a host responding
    > >> >> > to that MAC address will be in promiscuous mode, but since the group
    > >> >> > bit is set... *And I would think all it takes is a small changeto the
    > >> >> > ARP code to verify that the destination MAC was a full broadcast....

    >
    > >> >> Is this supposedly for Windows, Linux, OSX, BSD, etc ?

    >
    > >> >> I'm sure it's OS specific. For instance, a Windows box will not reply to a
    > >> >> broadcast ping, but a Linux box will.

    >
    > >> >But why Windows box does not reply to the broadcast ping :-( whereas
    > >> >the Linux box replies to the broadcast ping ? *That is,
    > >> >any specific reasons for not being supported in Windows and for
    > >> >being supported in Linux ?

    >
    > >> i seem to remember using broadcast ping to populate ARP tables on a
    > >> router to hunt used IP addresses, so i am not sure this is right.

    >
    > >> i think that it may be more about the sender, not the reciever.

    >
    > >> if i ping the local LAN s/net on my w2000 PC - no response and nothing
    > >> changes in the arp table (arp -a)

    >
    > >> do the same on a win7 PC and i get a response, and the arp table gets
    > >> some added entries - some of the entries are w2k and xp boxes.....

    >
    > >> the win7 box has static ARP entries installed for the IP local
    > >> broadcast address and network broadcast (this seems to be part of the
    > >> default interface settings).
    > >> Adding the same statics on the w2k box doesnt change anything.

    >
    > >> i cannot run up wireshark to check any further right now - but it sure
    > >> looks like the apparent lack of response to broadcast ping might be at
    > >> the Windows sender, not the responder.

    >
    > >On similar lines, i came across an info that states that due to
    > >a weakness in Linux TCP/IP implementation , it will answer to
    > >TCP/IP packets sent to its IP address even if the MAC address
    > >on that packet is wrong while in promiscuous mode.
    > >But, it seems that the standard behavior is that it will not be
    > >answered because the network interface will drop them as it
    > >is containing wrong MAC address .

    >
    > >I am eager to know Why is the linux implementation different
    > >from that of the standard implementation ? Is it good or bad ?

    >
    > it probably comes down to implementation issues.
    >
    > FWIW responding to broadcasts is like many things - useful but can be
    > dangerous to network stability in some setups.
    >
    > there are standards that covers a lot of this stuff.....
    >
    > RFC 1122 is for host requirements - section 3.2 says a fair bit about
    > handling broadcasts.
    >


    It seems that the flaw in Linux TCP/IP stack has been fixed in
    kernel 2.2.10 as they drop the incoming packets that are not
    destined for this ethernet address.

    So, there is a tough job to detect the presence of in network
    if the sniffer is running on Linux Kernel 2.2.10.

    Karthik Balaguru

  16. #16
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 20, 11:49*am, PaulusJrLz <paulusj...@gmail.com> wrote:
    > On Mar 9, 11:27*pm, Karthik Balaguru <karthikbalagur...@gmail.com>
    > wrote:
    >
    > > Hi,
    > > How to determine the presence of wireshark in a network ?
    > > Are there any specific packet types exchanged while it
    > > is present in the network so that it can be used to determine
    > > its presence in the network . Any tool to identify its presence
    > > in either Windows or Linux ? Any ideas ?

    >
    > > Thx in advans,
    > > Karthik Balaguru

    >
    > One indicator of sniffer activity is a lot of DNS requests from the
    > sniffer.
    > This detection is not always effective, since sniffer's DNS resolution
    > can be turned off.
    >


    I think that is how antisniff has been played down
    by some snifferes.

    I have been searching for these tools that help
    in finding the remote systems in promiscuous mode
    in a network. I did come across other tools that
    help in detection of a system in promiscuous mode
    such as the following-

    1. Sentinel
    Supports 3 methods of remote promiscuous
    detection: The DNS test,Etherping test,ARP test.
    -a arp test, -d dns test,-e icmp etherping test.
    Need to check it out. Has anyone tried this
    out ?

    2. neped.c
    http://www.artofhacking.com/tucops/h.../aoh_neped.htm
    Network Promiscuous Ethernet Detector w.r.t Linux-
    Specifically designed to detect the sniffers that
    use the flaw in Linux TCP/IP Stack !!. I think this
    will not be useful for the kernels in which the
    flaw has been fixed such as kernel 2.2.10 as they
    drop the incoming packets that are not destined
    for this ethernet address.

    3. promisc.c
    http://seclists.org/nmap-hackers/199.../promisc_c.bin
    Determines the machine on which it is run is
    in promisc mode.
    This is similar to "ifconfig -a|grep PROMISC" :-)
    But,this does not help remote machine(sniffer)
    detection :-(

    4. ifstatus
    ftp://ftp.cerias.purdue.edu/pub/tool...tus-4.0.tar.gz
    Checks and reports the network interfaces on the
    system reports any that are in debug or
    promiscuous mode - Not suitable for remote sniffer
    detection :-(

    5. Antisniff
    So antisniff appears that it be tricked out if
    kernel 2.2.10 is used or if DNS lookup test is
    avoided or if the sniffing is not done above an
    average network traffic limit. And it seems there
    is an equally interesting 'Anti-Antisniff Sniffer'
    to play down the antisniff utility :-(

    But, I am not sure if Sentinel helps in detection
    of remote promiscous mode(Sniffer) even in the
    case of linux kernel 2.2.10 ! ?

    Thx in advans,
    Karthik Balaguru

  17. #17
    Stephane CHAZELAS
    Guest

    Re: Determining the presence of wireshark

    2010-03-20, 01:59(-07), Karthik Balaguru:
    [...]
    > 1. Sentinel
    > Supports 3 methods of remote promiscuous
    > detection: The DNS test,Etherping test,ARP test.
    > -a arp test, -d dns test,-e icmp etherping test.
    > Need to check it out. Has anyone tried this
    > out ?


    All those methods assume the interface is configured with an IP
    address, or that the system supports IP. There's no need for
    implementing an IP stack to sniff ethernet packets. One can use
    wireshark on an interface that hasn't got any IP address
    configured or that has a firewall rule that prevents it from
    emmiting any packet.

    sudo iptables -I OUTPUT --out-interface eth0 -j DROP

    And that interface will not be detected.

    Probably same with

    sudo ip addr flush dev eth0

    > 2. neped.c
    > http://www.artofhacking.com/tucops/h.../aoh_neped.htm
    > Network Promiscuous Ethernet Detector w.r.t Linux-
    > Specifically designed to detect the sniffers that
    > use the flaw in Linux TCP/IP Stack !!. I think this
    > will not be useful for the kernels in which the
    > flaw has been fixed such as kernel 2.2.10 as they
    > drop the incoming packets that are not destined
    > for this ethernet address.


    2.2.9 was released in May 1999. I don't expect there be a lot of
    pre-2.2.10 Linux boxes around nowadays.

    --
    Stéphane

  18. #18
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 20, 3:28*pm, Stephane CHAZELAS <stephane_chaze...@yahoo.fr>
    wrote:
    > 2010-03-20, 01:59(-07), Karthik Balaguru:
    > [...]
    >
    > > 1. Sentinel
    > > Supports 3 methods of remote promiscuous
    > > detection: The DNS test,Etherping test,ARP test.
    > > -a arp test, -d dns test,-e icmp etherping test.
    > > Need to check it out. Has anyone tried this
    > > out ?

    >
    > All those methods assume the interface is configured with an IP
    > address, or that the system supports IP.


    Okay . Yeah, I analyzed it and it appears just like
    as you conveyed - Passive Sniffers in promiscuous
    modes(Remote) can be detected only if they are on
    an interface with a configured IP address !

    > There's no need for
    > implementing an IP stack to sniff ethernet packets. One can use
    > wireshark on an interface that hasn't got any IP address
    > configured or that has a firewall rule that prevents it from
    > emmiting any packet.
    >
    > sudo iptables -I OUTPUT --out-interface eth0 -j DROP
    >
    > And that interface will not be detected.
    >


    :-(
    Interesting to know that wireshark or other sniffers
    can be used on an interface that hasn't got any IP
    address configured.

    But, i wonder what is the advantage/use of running
    wireshark on an interface that hasn't got any IP address.
    In what kind of scnearios we might need to run wireshark
    on an interface without IP address ? Any thoughts ?

    > Probably same with
    >
    > sudo ip addr flush dev eth0
    >


    :-(
    It appears that there is NO method to detect passive sniffing
    unless the sniffer does not take care of things like hiding
    IP address / using a proper flawless OS.

    > > 2. neped.c
    > >http://www.artofhacking.com/tucops/h.../aoh_neped.htm
    > > Network Promiscuous Ethernet Detector w.r.t Linux-
    > > Specifically designed to detect the sniffers that
    > > use the flaw in Linux TCP/IP Stack !!. I think this
    > > will not be useful for the kernels in which the
    > > flaw has been fixed such as kernel 2.2.10 as they
    > > drop the incoming packets that are not destined
    > > for this ethernet address.

    >
    > 2.2.9 was released in May 1999. I don't expect there be a lot of
    > pre-2.2.10 Linux boxes around nowadays.
    >


    True that there might not be much systems that use pre-2.2.10
    unless upgraded. So, it is difficult to determine the presence
    of sniffer in networks in such a case.

    So, in brief - NO METHOD to detect Passive Sniffing :-(
    That is, It seems that unless there is a flaw in the operating
    system similar to that of TCP/IP in pre-2.2.10 linux kernel, it
    is not possible to determine the presence of sniffers performing
    passive sniffing in the network.

    Karthik Balaguru

  19. #19
    Hal Murray
    Guest

    Re: Determining the presence of wireshark

    > But, i wonder what is the advantage/use of running
    > wireshark on an interface that hasn't got any IP address.
    > In what kind of scnearios we might need to run wireshark
    > on an interface without IP address ? Any thoughts ?


    How about running whireshark while hiding from people
    who are trying to find people running Wireshark?

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  20. #20
    Karthik Balaguru
    Guest

    Re: Determining the presence of wireshark

    On Mar 21, 11:14*am, hal-use...@ip-64-139-1-69.sjc.megapath.net (Hal
    Murray) wrote:
    > > But, i wonder what is the advantage/use of running
    > > wireshark on an interface that hasn't got any IP address.
    > > In what kind of scnearios we might need to run wireshark
    > > on an interface without IP address ? Any thoughts ?

    >
    > How about running whireshark while hiding from people
    > who are trying to find people running Wireshark?
    >


    :-) :-)
    I had that in mind !
    But, Is it only for that reason ? Are there no other scenarios ?

    Thx in advans,
    Karthik Balaguru

Similar Threads

  1. determining which apps are updating
    By in forum ms.public.windows.networking.wireless
    Replies: 4
    Last Post: 09-04-09, 06:22 PM
  2. Help determining if my MOBO is defective
    By PlastiCup in forum Hardware & Overclocking
    Replies: 40
    Last Post: 05-30-09, 12:46 AM
  3. determining PSU needs..
    By mountainman in forum Hardware & Overclocking
    Replies: 3
    Last Post: 02-12-09, 09:07 PM
  4. Need help determining song
    By Jin in forum General Discussion Board
    Replies: 11
    Last Post: 03-30-07, 04:45 PM
  5. Need Help determining Latency on 8MB Connection
    By poutine in forum Broadband Tweaks Help
    Replies: 17
    Last Post: 03-11-07, 07:33 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •