spoofers and sniffers

• Previous message: spoofers and sniffers
• Next message: spoofers and sniffers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 15 Dec 2004, Mark C. Langston wrote:

> A trivial trick is to inject a packet that the sniffer will see that has
> a "flag" source or destination IP.  Many, many people don't bother to
> disable name resolution when sniffing.  You watch for the ARP (or, in
> the case of remote sniffers, the query to a nameserver you control).  If
> you inject something that has no other business being on the network,
> when you see the response packet (ARP or query), you know they're
> sniffing.

i think you can also just watch for the dns packets with 
the "fake info" showing up again from presumably the sniffer
and not necessarily on the dns server one controls

and if the sniffer does not do a dns or arp lookup, we won't be able to 
find the sniffer ?

- a good sniffer would target their packets ??

	eg, only check for emails (port25 on particular hosts) 
	and don't do ip# or mac lookups ?

the sniffers i was looking for things like tcpdump where someone
tries to pick up all they can and presumably read emails ...

	but pfilt.pl works simpler/faster for sniffing emails
	and went undetected  and works on wireless too

btw.. what happened to the RobertGraham.com  site where the sniffer faq 
is always being referenced to

sniffer detectors i played with
	http://www.linux-sec.net/Sniffer.Detectors/

c ya
alvin

• Previous message: spoofers and sniffers
• Next message: spoofers and sniffers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]