From owner-freebsd-security  Tue Jul 29 02:06:07 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id CAA26453
          for security-outgoing; Tue, 29 Jul 1997 02:06:07 -0700 (PDT)
Received: from milehigh.denver.net (milehigh.denver.net [204.144.180.2])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA26446;
          Tue, 29 Jul 1997 02:06:00 -0700 (PDT)
Received: from localhost (jdc@localhost)
	by milehigh.denver.net (8.8.5/8.8.5) with SMTP id DAA02716;
	Tue, 29 Jul 1997 03:09:29 -0600 (MDT)
Date: Tue, 29 Jul 1997 03:09:29 -0600 (MDT)
From: John-David Childs <jdc@denver.net>
To: Gary Palmer <gpalmer@FreeBSD.ORG>
cc: "Nicole H." <nicole@mediacity.com>, security@FreeBSD.ORG
Subject: RE: detecting packet sniffers
In-Reply-To: <6954.870136449@orion.webspan.net>
Message-ID: <Pine.BSI.3.95.970729030228.2340C-100000@milehigh.denver.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Gary Palmer wrote:

> "Nicole H." wrote in message ID
> <Chameleon.870081818.nmh@geekgirl>:
> 
> 
> > Does anyone know of a good way to detect people "sniffing" on the
> >  network? IE a program that will detect a machine running in
> >  promiscuous mode?
> 
> There is no way to detect that from outside the machine ... after all,
> its just listening to all the packets that go past.
> 
> FreeBSD 2.2 and later log a message to console when an interface goes
> into promiscuous mode.

I was under the impression from reading various product literatures that a
trend in the industry is beginning...whereby packet sniffers will
periodically send "tokens" on the wire identifying that XYZ PacketSniffer
was being used.  There was an NT/SunOS commercial security application I
saw a few weeks ago which claimed to be able to detect some (not all) other
sniffers on the wire...I just can't remember where I saw it.  Time to go
digging through my archives ;)
--


John-David Childs (JC612)       @denver.net/Internet-Coach/@ronan.net
System Administrator            Enterprise Internet Solutions
  & Network Engineer            901 E 17th Ave, Denver 80218
"When you have to kill a man it costs nothing to be polite." 
		-- Winston Curchill, On formal declarations of war