spoofers and sniffers

Mark C. Langston mark at bitshift.org
Wed Dec 15 10:32:42 PST 2004


On Wed, Dec 15, 2004 at 10:12:44AM -0800, Alvin Oga wrote:
> 
> none of the sniffer detector apps was able to find those "sniffers"
> 
> -- so how does one know that there is a sniffer in your subnet
>    or upstream at the isp, colo, wireless connectivity
> 

A trivial trick is to inject a packet that the sniffer will see that has
a "flag" source or destination IP.  Many, many people don't bother to
disable name resolution when sniffing.  You watch for the ARP (or, in
the case of remote sniffers, the query to a nameserver you control).  If
you inject something that has no other business being on the network,
when you see the response packet (ARP or query), you know they're
sniffing.


-- 
Mark C. Langston                                 The GOSSiP Project
mark at bitshift.org                  http://sufficiently-advanced.net
Factotum                                  Distributed, Peer-to-Peer
http://bitshift.org                        E-mail Reputation System



More information about the Baylisa mailing list