spoofers and sniffers
Alvin Oga
alvin at Mail.Linux-Consulting.com
Wed Dec 15 11:45:16 PST 2004
On Wed, 15 Dec 2004, Mark C. Langston wrote:
> A trivial trick is to inject a packet that the sniffer will see that has
> a "flag" source or destination IP. Many, many people don't bother to
> disable name resolution when sniffing. You watch for the ARP (or, in
> the case of remote sniffers, the query to a nameserver you control). If
> you inject something that has no other business being on the network,
> when you see the response packet (ARP or query), you know they're
> sniffing.
i think you can also just watch for the dns packets with
the "fake info" showing up again from presumably the sniffer
and not necessarily on the dns server one controls
and if the sniffer does not do a dns or arp lookup, we won't be able to
find the sniffer ?
- a good sniffer would target their packets ??
eg, only check for emails (port25 on particular hosts)
and don't do ip# or mac lookups ?
the sniffers i was looking for things like tcpdump where someone
tries to pick up all they can and presumably read emails ...
but pfilt.pl works simpler/faster for sniffing emails
and went undetected and works on wireless too
btw.. what happened to the RobertGraham.com site where the sniffer faq
is always being referenced to
sniffer detectors i played with
http://www.linux-sec.net/Sniffer.Detectors/
c ya
alvin
More information about the Baylisa
mailing list