From owner-freebsd-questions  Sun Apr 18  2: 5: 0 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from allegro.lemis.com (allegro.lemis.com [192.109.197.134])
	by hub.freebsd.org (Postfix) with ESMTP id CF55B14F86
	for <freebsd-questions@FreeBSD.ORG>; Sun, 18 Apr 1999 02:04:52 -0700 (PDT)
	(envelope-from grog@freebie.lemis.com)
Received: from freebie.lemis.com (freebie.lemis.com [192.109.197.137])
	by allegro.lemis.com (8.9.1/8.9.0) with ESMTP id SAA11539;
	Sun, 18 Apr 1999 18:12:43 +0930 (CST)
Received: (from grog@localhost)
	by freebie.lemis.com (8.9.3/8.9.0) id SAA40304;
	Sun, 18 Apr 1999 18:11:22 +0930 (CST)
Message-ID: <19990418181122.S37994@lemis.com>
Date: Sun, 18 Apr 1999 18:11:22 +0930
From: Greg Lehey <grog@lemis.com>
To: "Eric S. Nooden" <noodene@beloit.edu>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: Sniffers and Sniffer detection [General UNIX question]
References: <4.1.19990412090921.009e0420@beloit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <4.1.19990412090921.009e0420@beloit.edu>; from Eric S. Nooden on Mon, Apr 12, 1999 at 09:31:58AM -0600
WWW-Home-Page: http://www.lemis.com/~grog
X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF  13 24 52 F8 6D A4 95 EF
Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-41-739-7062
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Monday, 12 April 1999 at  9:31:58 -0600, Eric S. Nooden wrote:
> Hello all!
>
> A question or two concerning sniffers and sniffer detection.
>
> 1.  Is it possible to detect if a sniffer is being used?  

No.

> I know that the MS Network Analyzer does detect when their product
> is being used

Maybe this is a "friendliness" feature.

> but I am more concerned with the UNIX side of the house.  If not, is
> there any program that could determine whether or not the
> promiscuous mode is being used on any NIC...sort of like using nmap
> to scan for it?

The real problem is that it's usually another system which is using
the sniffer, and you have no access to it.  Nothing changes on your
system.

> 2.  Is it possible to install a sniffer, in a user account (with no root
> access), and sniff the network and watch for passwords?

FreeBSD won't allow you to set promiscuous mode unless you're root.

> I do realize that anything is possible, but I would appreciate a more
> specific answer and possibly some ways to protect against sniffers.  One
> precaution to possibly take is to place the modem lines on 10/100 switches
> and also the primary systems.  I would think that protects us a little bit
> considering you can't sniff outside our collision domain (unless you had an
> "agent" on another hub(s) ).

Right, you need to be on the local network.

Greg
--
When replying to this message, please copy the original recipients.
For more information, see http://www.lemis.com/questions.html
See complete headers for address, home page and phone numbers
finger grog@lemis.com for PGP public key


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message