Wireless Networks Thread, Sniffing Software in Technical; If you use a program to sniff data packets is it possible to detect this is actually happening on a ...
13th October 2008, 08:41 PM #1
If you use a program to sniff data packets is it possible to detect this is actually happening on a network?
The reason I ask is that I think someone connected a laptop to one of our networks and was capturing data.
Is there a way for me to see if this is being done as I'd like to catch them at it, whoever they are?
13th October 2008, 09:03 PM #2
Unless they have managed to setup a port on the switch to mirror (which would be traceable depening on your switches) there would be no way that I can think of to detect this as it is a passive action merely setting the network card in the machine to log and read every frame offered rather than ignoreing anything that was not adressed to it directly or broadcasted/multicasted.
The act of sniffing is merely setting the machine to pay attention to everything that is being pushed through that segment of the network.
Unless the switch was setup to mirror or you are still using hubs the only traffic that they would be getting from a switch is stuff from their own station along with any broadcasts and multicasts on that network segment. They caould probably learn more about the structure of the network ie what devices are broadcasting (switches/printers) but actual authentication information would almost always be unicast, likewise with file shares and web traffic. As such they are unlikely to get much sensitive information from their activities unless the network is setup in such a way that it lets them.
If they are activly redirecting the network traffic by using ARP poisining (replying to ip to MAC address queries with its own MAC to intercept traffic) then you can pick this up by packetsniffing yourself but it is a long (understatment) process looking through the logs to find it.
Last edited by SYNACK; 13th October 2008 at 09:15 PM.
Reason: Added info about ARP poisoning attacks
2 Thanks to SYNACK:
mrtechsystems (14th October 2008), tech_guy (13th October 2008)
13th October 2008, 09:07 PM #3
Not sure it you can still get it, wheter it costs now or how good it is/was, but there was a proggy for this called Promiscan (scans for 'promiscuous" NICs).
On a switched network a Bad Guy would normally needs to mess around with ARP in order to see **other peoples traffic** and you can use things like Arpwatch to help detect that.
3 Thanks to PiqueABoo:
mrtechsystems (14th October 2008), SYNACK (13th October 2008), tech_guy (13th October 2008)
14th October 2008, 10:31 AM #4
Depending on where your power and data runs (and if it's copper or fibre), he could stick a hub between switch uplinks, snip the transmit pair on a patch cable and just listen in.
<more paranoid, assuming prior research re uplinks and available power has been done>
Cut the right cable in a roof void, crimp on jacks.
Plug into 5-port hub
Connect asus eee / whatever
Replace ceiling tile.
Assuming the eee is ready to go, would take about 5 mins.
Thanks to pete from:
tech_guy (14th October 2008)
14th October 2008, 10:35 AM #5
IIRC ettercap uses ARP poisoning to sniff switched network traffic
Originally Posted by SYNACK
Thanks to CyberNerd from:
tech_guy (14th October 2008)
14th October 2008, 11:03 AM #6
encapsulate everything in SSL! [/stereotypical *nix geek response]
14th October 2008, 12:53 PM #7
If you are using Windows clients and servers you can apply IPSec via group policy to encrypt all traffic or just set it to encrypt traffic to sensitive servers like student management which will protect your data nicely.
By link470 in forum Wireless Networks
Last Post: 9th July 2010, 05:29 PM
By paulpmp4 in forum Wireless Networks
Last Post: 12th February 2008, 11:57 AM
By intrigue in forum How do you do....it?
Last Post: 16th October 2007, 08:11 PM
By ninjabeaver in forum Educational Software
Last Post: 28th November 2005, 02:26 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)