How to detect sniffers within and outside a network.

In reply to a query on how to detect sniffers, one of the things mentioned was to ping the suspected ip and a slight variation of its MAC address.

My problem is I can't seem to figure out/understand how one can detect a packet sniffer by pinging the ip address and a slight change of the suspected MAC address neither do I know/understand how to send arp requests to the suspected sniffer. When I ping an ip address followed by its MAC (or a slight variation of its MAC), I get bad parameter. HELP! I think I am being really stupid so could you tell me or redirect me to an idiot's guide on how to do this.

--Check the below link.

www.robertgraham.com/pubs/sniffing-faq.html

See the section *How Can I Detect A Packet Sniffer*.

I think there are a few things to deal with here, so lets try:

"My problem is I can't seem to figure out/understand how one can detect a packet sniffer by pinging the ip address and a slight change of the suspected MAC address"

Unless you happen to have a complete list of every device on your network (including IP address and Mac address), you won't easily be able to tell if this device should or should not be on the network. Sniffer programs can sit on any type of computer device (Laptop/Desktop) and must have a valid IP address and Subnet etc. So like I said above, unless you know every device on your network, finding a sniffer is difficult. The other thing to consider is a sniffer is just that, a sniffer. It sits on the network and just watches what goes past, and takes a copy. It doesn't interact with the network.

"neither do I know/understand how to send arp requests to the suspected sniffer."

Again, see above. In addition, arp requests are usually sent by devices to find out how to get to/from a specific device. The arp cache is normally a dynamic list of addresses. If you want to see what one looks like, then try the following: One of your PCs, ping a know device. Once you have had a response, type the following command: arp -a. This will show you all the devices your PC is aware of.

Finally, MAC addresses are hardcoded onto every device. So, although an IP address can be changed (by administrators etc), the mac address is constant. So, pinging an IP address and different MAC address doesn't seem like a good idea.

I hope that made some kind of sense, but it is still early(ish) in the morning, and my brain isn't fully awake yet!!!

Hi lostboy

From what I understand you can detect some sniffers by searching for NICs that are in 'promiscuous' mode. l0pht created a tool called AntiSniff that runs on the Windows platform.

There is some good info here
www.securiteam.com/tools/AntiSniff_-_fin...r_local_network.html

The links to www.l0pht.com/antisniff/ no longer work but you may be able to get a copy by going to www.astalavista.com and searching for antisniff. Unfortunately astalavista.com was down when I visited so I cannot confirm this.

There is a thread talking about your type of situation here
www.derkeiler.com/Newsgroups/microsoft.p...ty/2004-01/1621.html

1. MAC addresses can be changed
2. Packets can be crafted from the data link layer up
3. I don't remember the exact methodology for detecting sniffers but it was something along the lines of the sniffer replying to some particular packet...

can sniffer sniff packet by vlan?
let say i have 7 vlan..
can it sniff all the vlan at one time?