Sniffer detectors for Linux?
Ken Ambrose
kena at well.com
Thu Sep 19 14:56:25 EDT 2002
On Thu, 19 Sep 2002, Michael O'Donnell wrote:
> The article mentioned below indicates (to me, anyway) that
> it might be harder than you think to detect all sniffers:
>
> http://www.linuxjournal.com/article.php?sid=6222
Hmmm. Valid point. I know a fair bit about low-level ethernet stuff,
so: wouldn't it be possible to set up a MAC:IP table of some sort? I
would think that this is impossible, except that switches are capable of
doing MAC address determination _somehow_, but I don't know what mechanism
is used. Is it simply an ARP request ("who has 1.2.3.4"), which would
fail, or is it something else? I imagine something else, as ARP seems
tied to IP, and switches are protocol agnostic, unless I'm very mistaken.
If you _were_ able to make a MAC-to-IP table, then anyone who wasn't
assigned an IP would come under suspicion.
Of course, if you were on a switched network, most of this is moot anyway,
since you can be in promiscuous mode all day, and you'll only see
broadcasts and your own traffic.
$.02,
-Ken
More information about the gnhlug-discuss
mailing list