Detecting packet sniffers
Posted by creining | Filed under Security
Robert Graham, of BlackICE authorship fame, has a somewhat outdated but still very useful FAQ on sniffing. The most interesting section of this FAQ is section 2.5 entitled “How can I detect a packet sniffer?”. This section explains various methods in detecting a sniffer on a network (abnormal responses to ping and ARP, reverse DNS traps, latency, etc) including the mention of some tools that implement these methods such as sentinel, antisniff, and neped. One of the other methods noted by Graham is TDR (Time Domain Reflectometer) which “sends a pulse down the wire, then graphs the reflections that come back. An expert can look at the graph of the response and figure out if any devices are attached to the wire that shouldn’t be. They also roughly tell where, in terms of distance along the wire, the tap is located.” This is a clever way to detect a sniffer as the other methods of detecting network cards in promiscious mode will fail if the sniffer is connected to the network via a RX only cable. Many of Cisco’s higher series switches support TDR albeit without graphing capabilities. According to this document, “the time delay reflectometer (TDR) counter is an internal counter that counts the time (in ticks of 100 nanoseconds (ns) each) from the start of a transmission to the occurrence of a collision. Because a transmission travels about 35 feet per tick, this value is useful to determine the approximate distance to a cable fault.” However, the TDR method described by Graham lends itself more to a device such as the Tektronix 1502C. In any event, I suppose if there’s a question of a rogue sniffer on a network the argument for local encryption should be made.
Comments are closed.