[1654] in bugtraq
Re: Detecting a sniffer
daemon@ATHENA.MIT.EDU (Mike Neuman)
Mon May 1 16:03:03 1995
Date: Mon, 1 May 1995 12:49:43 -0500
From: Mike Neuman <mcn@EnGarde.com>
To: bugtraq@fc.net, bet@std.sbi.com
> From owner-bugtraq@fc.net Mon May 1 11:36:08 1995
> You can't "detect a sniffer" from looking at the net...
There are some tricks you can try. Although, they won't work in all
cases.
1) rup hostx;generate tremendous amounts of TCP traffic;rup hostx again. If
a sniffer is running, most likely the load will go up substancially to deal
with the increased traffic.
2) Look for large amounts of name server queries. A telltale sign that
tcpdump is running is dozens of requests in a short period of time for
reverse lookups.
As I said, these won't work in all cases, although the sniffers I've seen
floating around in hackers' toolboxes these days will be detected by either
of these techniques.
-Mike
mcn@EnGarde.com
En Garde Systems - Computer Security Software and Consulting
