Sniffer detectors for Linux?
Tom Buskey
tom at buskey.name
Thu Sep 19 16:22:59 EDT 2002
Ken Ambrose said:
>
>so: wouldn't it be possible to set up a MAC:IP table of some sort? I
arp -a
>would think that this is impossible, except that switches are capable of
>doing MAC address determination _somehow_, but I don't know what mechanism
>is used. Is it simply an ARP request ("who has 1.2.3.4"), which would
>fail, or is it something else? I imagine something else, as ARP seems
>tied to IP, and switches are protocol agnostic, unless I'm very mistaken.
>If you _were_ able to make a MAC-to-IP table, then anyone who wasn't
>assigned an IP would come under suspicion.
>
>Of course, if you were on a switched network, most of this is moot anyway,
>since you can be in promiscuous mode all day, and you'll only see
>broadcasts and your own traffic.
Not exactly sure what you're driving at, but....
It's possible to have devices on the net without IP addresses that
serve useful functions. I've seen writeups for an invisible syslog
server. You manipulate the arp tables to send packets. I've also seen
stuff with bridged/transparent firewalls too.
And there's arp table poisoning and you can make some switches redirect/
duplicate traffic to another port. Very useful for debugging.
--
-------
Tom Buskey
More information about the gnhlug-discuss
mailing list