[1665] in bugtraq
Re: Detecting a sniffer
daemon@ATHENA.MIT.EDU (Mark Owens)
Tue May 2 06:57:20 1995
Date: Tue, 2 May 95 00:50:46 PDT
From: owens@xylan.com (Mark Owens)
To: bugtraq@fc.net
> >Of course you can detect a sniffer, but are you willing to pay the cost
> >of doing so?
>
> You can't "detect a sniffer" from looking at the net; the only way you can
> try is to identify specific software indications of one being run on your
> machine. If it's run on a different machine, on one you can't check (perhaps
> on a palmtop someone has plugged into the net), then you can't detect it at
> all. Even if it's being run on your server, you can detect it if the author
> of the sniffer didn't know about, and defeat, the particular detection
> mechanism you use.
During my work in 'secure' installations, we used fiber media to prevent
the 'sniffing' of packets using inductive pickup. This kind of 'sniffer'
can't be detected easily - 'cept by seeing it (antennas and wires running
next to your cable, where they don't belong, is a give-away)
We also used OTDRs to look for splices in the fiber.
\mgo
