detecting sniffers

To: debian-security@lists.debian.org
Subject: detecting sniffers
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Mon, 13 Dec 2004 09:52:58 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1041213093520.1843A-100000@Maggie.Linux-Consulting.com>

hi ya

i was playing over the weekend .. 
looking at various sniffer detectors to see what it finds

#
# Problem was to find any/all sniffers on the local subnet
# from the playing i did, they'd still remain hidden while sniffing
#

i was running some sniffers of various flavors on various machines
	( debian, slackware, redhat - various versions )
	tcpdump, ethereal, pfilt.pl, pl00000.pl (debian mailing list)
	.. etc ..

	pfilt.pl working the best and easiest to get running, which
	recreates a human readable file of the sniffed incoming emails

	- none of the ethernet cards was in promiscuous mode
	and was still sniffable

some of the psuedo sniffer detectors i played with:
( most all of these didn't find any of the sniffers running )
	cpm		-- no *.deb
	ifstat		-- no *.deb
	ifstatus2	-- no *.deb
	kstat		-- no *.deb
	neped.c		-- no *.deb, but works nicely
	sentinel	-- no *.deb
	sniffdet	-- no *.deb

urls for the above ...
	http://www.linux-sec.net/Sniffer

c ya
alvin


*.deb apps i installed on the debian boxes
	( i didnt play with wireless sniffing though )
apt-get install airsnort darkstat tcptrack  
apt-get install vnstat  tcpick tethereal
apt-get install sniffdet sniffit  scapy  prismstumbler nwatch
apt-get install ngrep nast kismet karpski hunt ettercap ettercap-gtk
apt-get install ethereal dsniff darkstat
.. end of apps ..

Reply to:

Prev by Date: Re: any DSA for CAN-2004-1026 ?
Next by Date: RE: Details [Qurb #854196]
Previous by thread: Re: any DSA for CAN-2004-1026 ?
Next by thread: RE: Details [Qurb #854196]
Index(es):
- Date
- Thread