[66599] in North American Network Operators' Group
RE: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Wojtek Zlobicki)
Fri Jan 16 18:10:54 2004
From: "Wojtek Zlobicki" <wojtekz@idirect.com>
To: <nanog@merit.edu>
Date: Fri, 16 Jan 2004 18:01:35 -0500
In-Reply-To: <20040116173345.W98865@kod.inch.com>
Errors-To: owner-nanog-outgoing@merit.edu
Since all sniffers I know of are passive devices, there really shouldn't be
a way to track one down. From a Cisco standpoint, if I were mirroring a
port, and had a sniffer mirroring the sniffer port, I would see traffic of a
unicast nature with multiple unicast MAC destinations destined at a
swithport with only one MAC address cached.
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Gerald
Sent: Friday, January 16, 2004 5:35 PM
To: nanog@merit.edu
Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers. Any
progress or suggestions for programs that detect cards in promisc mode or
sniffing traffic?
Gerald
