Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Determining the presence of wireshark

microsoft.public.windows.vista.networking sharing






Speedup My PC
Reply
  #1 (permalink)  
Old 03-09-2010
Karthik Balaguru
 

Posts: n/a
Determining the presence of wireshark
Hi,
How to determine the presence of wireshark in a network ?
Are there any specific packet types exchanged while it
is present in the network so that it can be used to determine
its presence in the network . Any tool to identify its presence
in either Windows or Linux ? Any ideas ?

Thx in advans,
Karthik Balaguru
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 03-09-2010
Jeff Liebermann
 

Posts: n/a
Re: Determining the presence of wireshark
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
<karthikbalaguru79@gmail.com> wrote:

>How to determine the presence of wireshark in a network ?


Look for NIC cards and wireless devices running in promiscuous mode.

>Are there any specific packet types exchanged while it
>is present in the network so that it can be used to determine
>its presence in the network .


No. A sniffer is totally passive.

>Any tool to identify its presence
>in either Windows or Linux ? Any ideas ?


AntiSniff:
<http://www.nmrc.org/pub/review/antisniff-b2.html>
You may have trouble finding this one.

PromqryUI in DOS and Windowfied versions:
<http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en>
<http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en>
Only works for detecting sniffers running on a Windoze system. I
haven't been able to detect DOS, Linux, or Mac sniffers with these
tools.

I've also noticed that most casual users of sniffers running on
laptops like to boot their operating system before firing up their
sniffers. The laptop will usually belch a few DHCP broadcasts and ARP
requests before disappearing into promiscuous mode. These initial
packets can be detected with ArpWatch:
<http://24h.atspace.com/it/security/arpwatch.htm>

The problem is not identifying the presence of the sniffer, it's
identifying which machine is actually doing the sniffing. The MAC
address is a clue, but given the ease of MAC address spoofing, that
information is often useless. Even if I delivered the MAC address on
a silver platter, identifying which one of the potentially hundreds of
similar computers in the room or building might be difficult.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Reply With Quote
  #3 (permalink)  
Old 03-09-2010
Bob
 

Posts: n/a
Re: Determining the presence of wireshark
On 09/03/2010 17:40, Jeff Liebermann wrote:

>
> PromqryUI in DOS and Windowfied versions:
> <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en>
> <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en>
> Only works for detecting sniffers running on a Windoze system. I
> haven't been able to detect DOS, Linux, or Mac sniffers with these
> tools.


Have you tried SNAT? I noticed it on YouTube last week.
<http://www.snat-project.com/documentation.html>


Reply With Quote
  #4 (permalink)  
Old 03-09-2010
Rick Jones
 

Posts: n/a
Re: Determining the presence of wireshark
In comp.os.linux.networking Bob <bob@invalid.invalid> wrote:
> Have you tried SNAT? I noticed it on YouTube last week.
> <http://www.snat-project.com/documentation.html>


I'm not sure how robust this:

This action is the one I really like. With the help of it you can
check if a host on your network is running a sniffer (well,
technically your checking if the NIC of that host is running in
promiscuous mode). The idea behind this is to use an arp request
with a forged destination address. First all of let me explain
what is a promiscuous and a normal mode for the NIC. In the first
one the network card simply picks up all of the packets (even
those that are not directed to it), the second mode only picks up
the packets that are directed to it and drops any other
packets. But, all networks cards that work in normal mode will
pick up a packet with the destination address equal
FF:FF:FF:FF:FF:FF (broadcast). So where is the trick ? In a
network with all NICs working in a normal mode if you send an arp
request with the destination address = FF:FF:FF:FF:FF:FE none of
the cards will reply. All of them will simply drop it. But when a
card works in promiscuous mode it will pick up that packets
(remember that it picks up all the packets regardless) and reply
to the request. So when you get a reply from a host after sending
such forged packet it means that the NIC is working in the promisc
mode , so probably a network sniffer is running on that
machine. Let me demonstrate it for you. I'm 192.168.1.6 and the
host I want to check is 192.168.1.8 As usual go to the directory
where you have snat.jar and execute the command (if you have any
problems go here) :

will be. First, I suppose that 99 times out of 10 a host responding
to that MAC address will be in promiscuous mode, but since the group
bit is set... And I would think all it takes is a small change to the
ARP code to verify that the destination MAC was a full broadcast...

The upshot is it is probably best to ass-u-me that unless you have
complete physical control of your network - all the wires, all the
ports, no wireless - that someone is listening.

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
Reply With Quote
  #5 (permalink)  
Old 03-09-2010
Lew Pitcher
 

Posts: n/a
Re: Determining the presence of wireshark
On March 9, 2010 12:40, in comp.os.linux.networking, jeffl@cruzio.com wrote:

> On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
> <karthikbalaguru79@gmail.com> wrote:
>
>>How to determine the presence of wireshark in a network ?

>
> Look for NIC cards and wireless devices running in promiscuous mode.


Note that this will present false positives if the NICs in question are
running with "user set" MAC addresses.

With "user set" MAC addresses, the NIC cannot use it's builtin comparison
logic to find frames addressed to the NIC. The OS NIC driver logic has to
match the MAC address on /all/ "on the wire" packets to the "user set" MAC
address, and extract those that match. This requires that the NIC run in
promiscuous mode, to permit the driver access to all the network traffic.

--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------


Reply With Quote
  #6 (permalink)  
Old 03-09-2010
DanS
 

Posts: n/a
Re: Determining the presence of wireshark
Rick Jones <rick.jones2@hp.com> wrote in news:hn66ht$h7r$2
@usenet01.boi.hp.com:

> In comp.os.linux.networking Bob <bob@invalid.invalid> wrote:
>> Have you tried SNAT? I noticed it on YouTube last week.
>> <http://www.snat-project.com/documentation.html>

>
> I'm not sure how robust this:
>
> This action is the one I really like. With the help of it you can
> check if a host on your network is running a sniffer (well,


<SNIP>

> host I want to check is 192.168.1.8 As usual go to the directory
> where you have snat.jar and execute the command (if you have any
> problems go here) :
>
> will be. First, I suppose that 99 times out of 10 a host responding
> to that MAC address will be in promiscuous mode, but since the group
> bit is set... And I would think all it takes is a small change to the
> ARP code to verify that the destination MAC was a full broadcast...


Is this supposedly for Windows, Linux, OSX, BSD, etc ?

I'm sure it's OS specific. For instance, a Windows box will not reply to a
broadcast ping, but a Linux box will.
Reply With Quote
  #7 (permalink)  
Old 03-14-2010
Karthik Balaguru
 

Posts: n/a
Re: Determining the presence of wireshark
On Mar 10, 1:45*am, DanS <t.h.i.s.n.t.h....@r.o.a.d.r.u.n.n.e.r.c.o.m>
wrote:
> Rick Jones <rick.jon...@hp.com> wrote in news:hn66ht$h7r$2
> @usenet01.boi.hp.com:
>
> > In comp.os.linux.networking Bob <b...@invalid.invalid> wrote:
> >> Have you tried SNAT? I noticed it on YouTube last week.
> >> <http://www.snat-project.com/documentation.html>

>
> > I'm not sure how robust this:

>
> > * * This action is the one I really like. With the help of it you can
> > * * check if a host on your network is running a sniffer (well,

>
> <SNIP>
>
> > * * host I want to check is 192.168.1.8 As usual go to the directory
> > * * where you have snat.jar and execute the command (if you have any
> > * * problems go here) :

>
> > will be. *First, I suppose that 99 times out of 10 a host responding
> > to that MAC address will be in promiscuous mode, but since the group
> > bit is set... *And I would think all it takes is a small change to the
> > ARP code to verify that the destination MAC was a full broadcast...

>
> Is this supposedly for Windows, Linux, OSX, BSD, etc ?
>
> I'm sure it's OS specific. For instance, a Windows box will not reply to a
> broadcast ping, but a Linux box will.


But why Windows box does not reply to the broadcast ping :-( whereas
the Linux box replies to the broadcast ping ? That is,
any specific reasons for not being supported in Windows and for
being supported in Linux ?

Thx in advans,
Karthik Balaguru
Reply With Quote
  #8 (permalink)  
Old 03-20-2010
PaulusJrLz
 

Posts: n/a
Re: Determining the presence of wireshark
On Mar 9, 11:27*pm, Karthik Balaguru <karthikbalagur...@gmail.com>
wrote:
> Hi,
> How to determine the presence of wireshark in a network ?
> Are there any specific packet types exchanged while it
> is present in the network so that it can be used to determine
> its presence in the network . Any tool to identify its presence
> in either Windows or Linux ? Any ideas ?
>
> Thx in advans,
> Karthik Balaguru


One indicator of sniffer activity is a lot of DNS requests from the
sniffer.
This detection is not always effective, since sniffer's DNS resolution
can be turned off.

Junior Lazuardi
Reply With Quote
  #9 (permalink)  
Old 03-20-2010
Karthik Balaguru
 

Posts: n/a
Re: Determining the presence of wireshark
On Mar 20, 11:49*am, PaulusJrLz <paulusj...@gmail.com> wrote:
> On Mar 9, 11:27*pm, Karthik Balaguru <karthikbalagur...@gmail.com>
> wrote:
>
> > Hi,
> > How to determine the presence of wireshark in a network ?
> > Are there any specific packet types exchanged while it
> > is present in the network so that it can be used to determine
> > its presence in the network . Any tool to identify its presence
> > in either Windows or Linux ? Any ideas ?

>
> > Thx in advans,
> > Karthik Balaguru

>
> One indicator of sniffer activity is a lot of DNS requests from the
> sniffer.
> This detection is not always effective, since sniffer's DNS resolution
> can be turned off.
>


I think that is how antisniff has been played down
by some snifferes.

I have been searching for these tools that help
in finding the remote systems in promiscuous mode
in a network. I did come across other tools that
help in detection of a system in promiscuous mode
such as the following-

1. Sentinel
Supports 3 methods of remote promiscuous
detection: The DNS test,Etherping test,ARP test.
-a arp test, -d dns test,-e icmp etherping test.
Need to check it out. Has anyone tried this
out ?

2. neped.c
http://www.artofhacking.com/tucops/h.../aoh_neped.htm
Network Promiscuous Ethernet Detector w.r.t Linux-
Specifically designed to detect the sniffers that
use the flaw in Linux TCP/IP Stack !!. I think this
will not be useful for the kernels in which the
flaw has been fixed such as kernel 2.2.10 as they
drop the incoming packets that are not destined
for this ethernet address.

3. promisc.c
http://seclists.org/nmap-hackers/199.../promisc_c.bin
Determines the machine on which it is run is
in promisc mode.
This is similar to "ifconfig -a|grep PROMISC" :-)
But,this does not help remote machine(sniffer)
detection :-(

4. ifstatus
ftp://ftp.cerias.purdue.edu/pub/tool...tus-4.0.tar.gz
Checks and reports the network interfaces on the
system reports any that are in debug or
promiscuous mode - Not suitable for remote sniffer
detection :-(

5. Antisniff
So antisniff appears that it be tricked out if
kernel 2.2.10 is used or if DNS lookup test is
avoided or if the sniffing is not done above an
average network traffic limit. And it seems there
is an equally interesting 'Anti-Antisniff Sniffer'
to play down the antisniff utility :-(

But, I am not sure if Sentinel helps in detection
of remote promiscous mode(Sniffer) even in the
case of linux kernel 2.2.10 ! ?

Thx in advans,
Karthik Balaguru
Reply With Quote
  #10 (permalink)  
Old 03-20-2010
Stephane CHAZELAS
 

Posts: n/a
Re: Determining the presence of wireshark
2010-03-20, 01:59(-07), Karthik Balaguru:
[...]
> 1. Sentinel
> Supports 3 methods of remote promiscuous
> detection: The DNS test,Etherping test,ARP test.
> -a arp test, -d dns test,-e icmp etherping test.
> Need to check it out. Has anyone tried this
> out ?


All those methods assume the interface is configured with an IP
address, or that the system supports IP. There's no need for
implementing an IP stack to sniff ethernet packets. One can use
wireshark on an interface that hasn't got any IP address
configured or that has a firewall rule that prevents it from
emmiting any packet.

sudo iptables -I OUTPUT --out-interface eth0 -j DROP

And that interface will not be detected.

Probably same with

sudo ip addr flush dev eth0

> 2. neped.c
> http://www.artofhacking.com/tucops/h.../aoh_neped.htm
> Network Promiscuous Ethernet Detector w.r.t Linux-
> Specifically designed to detect the sniffers that
> use the flaw in Linux TCP/IP Stack !!. I think this
> will not be useful for the kernels in which the
> flaw has been fixed such as kernel 2.2.10 as they
> drop the incoming packets that are not destined
> for this ethernet address.


2.2.9 was released in May 1999. I don't expect there be a lot of
pre-2.2.10 Linux boxes around nowadays.

--
Stéphane
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireshark Version 1.2.6 is out: http://www.wireshark.org/docs/relnotes/wireshark-1.2.6.html, (Thu, Jan 28th) Steve Security News 0 01-28-2010 20:00
Determining what service is tieing up computer Ray Titus microsoft.public.windows.vista.performance maintenance 1 04-22-2009 21:29
How to determining whether or not a photo has been edited WinVistaClub WinVistaClub Blog 0 03-17-2009 14:10
Determining an administrator on Vista Al microsoft.public.windows.vista.security 9 02-05-2009 18:14
Determining More About What Windows Is Updating cyberbiker Windows Vista General 0 08-29-2008 05:44




All times are GMT +1. The time now is 00:47.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120