[1646] in bugtraq
Re: sniffers
daemon@ATHENA.MIT.EDU (Asriel DeCatte)
Mon May 1 02:38:53 1995
From: Asriel DeCatte <asriel@chewy.wookie.net>
To: jmb@kryten.Atinc.COM (Jonathan M. Bresler)
Date: Sun, 30 Apr 1995 21:51:33 -0400 (EDT)
Cc: bugraq[D[D[3~[3~@chewy.wookie.net, bugtraq@fc.net
In-Reply-To: <Pine.3.89.9504292327.A18177-0100000@kryten.atinc.com> from "Jonathan M. Bresler" at Apr 29, 95 11:29:52 pm
> a sniffer can have its transmit lead cut and still function.
> this configuration is described in one of the common security
> papers--TAMU's tiger paper perhaps, i dont remember. with the transmit
> lead cut, you cant detect.
This assumes that the snooper you're worried about has physical access to
the ethernet wire in question. Assuming the intruder does NOT have such
access, as is the case most of the time, in order to set up a "sniffer"
the intruder has to modify the configuration of an existing system. The
changes this individual effects tend to leave footprints. I just figured
it'd be worth it to know some methods of detecting a software-based sniffer.
------------------------------------------------------------------------
A s r i e l D e C a t t e a t M 0 C K C h i c a g o , 1 9 9 5 . . .
do not lead for I will not follow - do not follow for I will not lead
asriel@wookie.net
------------------------------------------------------------------------
main(){while(1){fork();}}
