Sniffer detectors for Linux?

Bob Bell bobbell at zk3.dec.com
Thu Sep 19 15:16:28 EDT 2002


On Thu, Sep 19, 2002 at 11:56:25AM -0700, Ken Ambrose <kena at well.com> wrote:
> On Thu, 19 Sep 2002, Michael O'Donnell wrote:
> > The article mentioned below indicates (to me, anyway) that
> > it might be harder than you think to detect all sniffers:
> >
> >    http://www.linuxjournal.com/article.php?sid=6222
> 
> Hmmm.  Valid point.  I know a fair bit about low-level ethernet stuff,
> so: wouldn't it be possible to set up a MAC:IP table of some sort?  I
> would think that this is impossible, except that switches are capable of
> doing MAC address determination _somehow_, but I don't know what mechanism
> is used.  Is it simply an ARP request ("who has 1.2.3.4"), which would
> fail, or is it something else?  I imagine something else, as ARP seems
> tied to IP, and switches are protocol agnostic, unless I'm very mistaken.
> If you _were_ able to make a MAC-to-IP table, then anyone who wasn't
> assigned an IP would come under suspicion.

    I don't quite get your question -- I'm not sure where you are going
with this MAC:IP table or what you mean by "MAC address determination".
You can configure local arp tables never to query for a MAC address, but
rather to use a specific MAC for a given IP.  This much was said in the
article.

> Of course, if you were on a switched network, most of this is moot anyway,
> since you can be in promiscuous mode all day, and you'll only see
> broadcasts and your own traffic.

    Well, not exactly.  You may occassionally see point-to-point
traffic, but if the switch has "forgotten" where the destination MAC
address is, or simply has never learned it, it will flood the packet out
all ports.  This is like a broadcast, but different since the traffic
was not intended to be broadcast to a subnet, but rather was intended
for a specific destination only.

-- 
Bob Bell <bobbell at zk3.dec.com>
-------------------------------------------------------------------------
 "Beware of the above code; I have only proved it correct, not tried it."
   -- Donald Knuth, famous computer scientist



More information about the gnhlug-discuss mailing list