Is there any way to find out if someone who is connected to my network is sniffing packets? There is a way with nmap if his card is in promiscuous mode but what if it is passive?
4 Answers
The thing about passive sniffing is that you don't get other people's network traffic unless you're either in a position to see that traffic due to network topology (e.g. you're sniffing a trunk port) or are doing network spoofing (e.g. ARP spoofing) that causes packets to be sent to your device.
If they're doing the latter, you just need to look out for ARP spoofing attacks. Many IDS solutions have features that can detect ARP spoofing. A really low-quality cheap way to catch rogue devices is to just look for packets coming from MAC addresses you don't recognise. Better solutions match up the known MAC addresses to physical ports and devices, so that unusual routing can be spotted quickly.
I can't think of any way to detect entirely passive sniffing per se, but it would certainly be possible to probe for rogue devices on your network by doing ARP scans, DHCP probes, or application-layer broadcasts (e.g. on 192.168.x.255) and looking for responses from devices that you don't recognise.
- 132,208
- 43
- 298
- 379
-
2A sniffing device can be entirely passive, either through a modified stack or through a read-only [Ethernet cable](http://www.tamos.com/htmlhelp/monitoring/read_onlycables.htm). – Stephane Sep 06 '13 at 12:11
-
It can, but it would have to be sniffing on a line that already has traffic going down it. If that line is connected to a port that only has the sniffing device connected, or if you're on a wireless network, you'll get no data. – Polynomial Sep 06 '13 at 12:13
-
4On a wireless network all data transmitted can be sniffed without detection. The only concern is if the attacker can get around the encryption... – Rory Alsop Sep 06 '13 at 12:18
-
+1 for read only ethernet cable! never heard of something like that. – PsychoData Sep 06 '13 at 22:43
-
Other than what @Polynomial said about only seeing whats passing. I would make the additional point that if you are upstream (Victim A and B are connected to a switch and your reading on the upstream side of that switch) you wont see any traffic that goes directly between them (eg. you might see the DNS lookup where they find each other, but not the file transfer between them.) By contrast, You Victim A and B are all on a hub (not recommended since switches have gotten much less expensive) you could see everything that is said between them and what goes upstream...and what comes back down..ALL – PsychoData Sep 06 '13 at 22:48
Leaving aside physical attacks like cable splicing and wiretapping, there are a couple ways to find traffic sniffers. One way, as already mentioned by @Polynomial, is to detect the traffic tampering that is required in order to direct useful (i.e. other people's) traffic to the sniffer. An example program that does this is arpwatch
.
Another detection mechanism is using probes to determine if the host's interface is in promiscuous mode. Nmap has a script, sniffer-detect
which can do this, but there are other programs as well.
- 11,316
- 1
- 27
- 50
There is always the possibility that a sniffer can be deployed on the local machine to sniff the network, it will narrow the traffic to just the local host but is a effective if a targeted attack is in progress to monitor a specific person and/or host of interest.
This can be somewhat hard to detect in some cases due to this type of sniffing being passive in nature, maybe even cloaked by root-kits etc.
- 1
- 1
I want to look into this in a little more details, but I recall a networking friend of mine once told me about an advanced "Fluke Tool" that could detect the distance of a cable and anything physically on the wire. This is not using network traffic, but something way down in the physical layer, etc. I would imagine if you knew your before state you could scan for any changes in physical connections (on a wired network) on a periodic basis and this might show rogue connections. On a large network, this sound a bit unpractical though.
A better way of going about this may be to assume you are being tapped at the physical level and to use IPSec, VPN, etc so that the unauthorized connection is only capturing encrypted data. For a malicious insider, if it's company owned equipment, hopefully you have the system admin tools, policies, etc to lock down software and to prevent promiscuous mode (I believe on Windows you need admin level to enter promiscuous mode).
- 9,691
- 4
- 31
- 58