If you use a program to sniff data packets is it possible to detect this is actually happening on a network?
The reason I ask is that I think someone connected a laptop to one of our networks and was capturing data.
Is there a way for me to see if this is being done as I'd like to catch them at it, whoever they are?
Unless they have managed to setup a port on the switch to mirror (which would be traceable depening on your switches) there would be no way that I can think of to detect this as it is a passive action merely setting the network card in the machine to log and read every frame offered rather than ignoreing anything that was not adressed to it directly or broadcasted/multicasted.
The act of sniffing is merely setting the machine to pay attention to everything that is being pushed through that segment of the network.
Unless the switch was setup to mirror or you are still using hubs the only traffic that they would be getting from a switch is stuff from their own station along with any broadcasts and multicasts on that network segment. They caould probably learn more about the structure of the network ie what devices are broadcasting (switches/printers) but actual authentication information would almost always be unicast, likewise with file shares and web traffic. As such they are unlikely to get much sensitive information from their activities unless the network is setup in such a way that it lets them.
If they are activly redirecting the network traffic by using ARP poisining (replying to ip to MAC address queries with its own MAC to intercept traffic) then you can pick this up by packetsniffing yourself but it is a long (understatment) process looking through the logs to find it.
Not sure it you can still get it, wheter it costs now or how good it is/was, but there was a proggy for this called Promiscan (scans for 'promiscuous" NICs).
On a switched network a Bad Guy would normally needs to mess around with ARP in order to see **other peoples traffic** and you can use things like Arpwatch to help detect that.
Depending on where your power and data runs (and if it's copper or fibre), he could stick a hub between switch uplinks, snip the transmit pair on a patch cable and just listen in.
<more paranoid, assuming prior research re uplinks and available power has been done>
Cut the right cable in a roof void, crimp on jacks.
Plug into 5-port hub
Connect asus eee / whatever
Replace ceiling tile.
Assuming the eee is ready to go, would take about 5 mins.
IIRC ettercap uses ARP poisoning to sniff switched network traffic
Originally Posted by SYNACK
encapsulate everything in SSL! [/stereotypical *nix geek response]
If you are using Windows clients and servers you can apply IPSec via group policy to encrypt all traffic or just set it to encrypt traffic to sensitive servers like student management which will protect your data nicely.