[66650] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Gerald)
Mon Jan 19 11:22:16 2004
Date: Mon, 19 Jan 2004 11:21:23 -0500 (EST)
From: Gerald <gcoon@inch.com>
To: Sam Stickland <sam_ml@spacething.org>
Cc: nanog@merit.edu
In-Reply-To: <02af01c3dd12$15a858d0$fb00a8c0@office.toastedmedia.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 17 Jan 2004, Sam Stickland wrote:
> In an all switched network, sniffing can normally only be accomplished with
> MAC address spoofing (Man In The Middle). Watching for MAC address changes
> (from every machines perspective), along with scanning for seperate machines
> with the same ARP address, and using switches that can detect when a MAC
> address moves between ports will go a long way towards detecting sniffing.
My machines all scream bloody murder when an IP address has more than one
MAC or even if the IP changes MAC addresses.
One of the suggestions mailed to me off list:
http://sniffdet.sourceforge.net/
I haven't looked in to it yet, but figured I would keep all of the
suggestions in public view.
Gerald
