spoofers and sniffers
Mark C. Langston
mark at bitshift.org
Wed Dec 15 10:32:42 PST 2004
On Wed, Dec 15, 2004 at 10:12:44AM -0800, Alvin Oga wrote:
>
> none of the sniffer detector apps was able to find those "sniffers"
>
> -- so how does one know that there is a sniffer in your subnet
> or upstream at the isp, colo, wireless connectivity
>
A trivial trick is to inject a packet that the sniffer will see that has
a "flag" source or destination IP. Many, many people don't bother to
disable name resolution when sniffing. You watch for the ARP (or, in
the case of remote sniffers, the query to a nameserver you control). If
you inject something that has no other business being on the network,
when you see the response packet (ARP or query), you know they're
sniffing.
--
Mark C. Langston The GOSSiP Project
mark at bitshift.org http://sufficiently-advanced.net
Factotum Distributed, Peer-to-Peer
http://bitshift.org E-mail Reputation System
More information about the Baylisa
mailing list