18

I would like to know if there is a product or software that can detect if there is a sniffer currently on the network?

In other words is it possible at all to detect if there is a network card on the network that its is currently at promiscuous mode?

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
Hanan N.
  • 1,129
  • 5
  • 12
  • 22
  • This question seems similar to this one: [How to find out that a NIC is in promiscuous mode on a LAN?](https://security.stackexchange.com/questions/3630/how-to-find-out-that-a-nic-is-in-promiscuous-mode-on-a-lan) – WhiteWinterWolf Jun 03 '15 at 12:39

3 Answers3

14

There has been some work done that I've heard of like anti-sniff, which looks to detect machines in promiscuous mode using timing information.

The idea being that machines in promiscuous mode will have to process all packets that they see so if there are large amounts of traffic that need processed the system will be busy and slower to respond to directed traffic.

This sort of approach, if it's still practical, wouldn't work in every scenario. For example if a host doesn't have an IP address it can still potentially sniff traffic and it wouldn't be possible to detect it using this approach.

However it's one possible approach that could be explored.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 8
    There's also always the social aspect: produce false information and wait for someone to act on it. – Polynomial Dec 05 '12 at 10:05
  • A serious sniffing device like a [Corvil](https://www.corvil.com/products/features/corvil-capture) won't be susceptible to this – Gaius Aug 24 '19 at 16:27
14

It is possible to sniff packets on unswitched ethernet or wifi completely passively. Tools like the Throwing Star Lan Tap make this even easier. In this passive case, there is nothing you can really do about it.

However if you are on a switched lan, any sniffer would have to start poisoning ARP caches, even if only on the switch. This is something that you can much more easily detect and is a nice early warning that someone is planning something evil.

lynks
  • 10,636
  • 5
  • 29
  • 54
  • 8
    "any sniffer would have to start poisoning ARP" is not technically true. To sniff all traffic, then you need to ARP poison. But sniffing broadcasts and traffic on a shared switch line do not require ARP poisoning: I do it all the time. – schroeder Dec 05 '12 at 15:18
  • By `on a switched lan` I thought it was obvious what I meant. If you have other hosts in your collision domain, you're not on a switched network segment. Also broadcasts are rarely interesting. Not that both your points aren't correct. – lynks Dec 06 '12 at 19:35
  • Or the sniffer is using the monitoring/port mirroring capability of one or more of the switches your traffic is passing through, or they're using sniffing capabilities on a router or firewall or IDS/IPS your traffic is passing through... none of which is really detectable by an end user. – Anti-weakpasswords Jun 23 '15 at 04:10
  • @lynks If you tap the link between two switches then you'll also have access to the aggregate packets without requiring ARP poisoning, but still be on a switched lan. – apraetor Mar 07 '16 at 18:29
8

If the system runs the sniffer, its interface will be in promiscuous mode. The test works like this: Send a ping with the correct IP address into the network but with a wrong mac address. The sniffing host will answer the ping packet, as it will receive every packet in promiscuous mode. There is a ready-to use script in nmap to support this detection.

http://nmap.org/nsedoc/scripts/sniffer-detect.html

HOWEVER: This method only works if,

  1. the sniffing host is on the same Layer2 network
  2. the sniffing host does not have a firewall that blocks incoming icmp packets
  3. the sniffing host does the sniffing with an interface that has TCP/IP enabled, and thus is able to answer the ICMP packet.

Source : http://ask.wireshark.org/questions/14351/detectprevent-wireshark

Arka
  • 551
  • 2
  • 6
  • 11