2

Is Ettercap detectable? It technically shouldn't be because it just reads the data it sees legally through network. Every other computer receives the exact same data, it just doesn't show the data to user since none of it is reserved for that one user.

Is using Ettercap detectable? I mean, it's just my application on my computer, which will analyze a network. It's just inputs and outputs. It's not like Ettercap is reaching into the network. It just read whatever meets my computer.

Additionally, does Ettercap work through LAN/Ethernet? I can't really check myself since I'm on Wi-Fi and my modem has problems with cable networking.

Anon1101
  • 23
  • 4

1 Answers1

2

It depends a lot on the setup.

If a trace is running anywhere but on your local subnet, you cannot detect it, period.

On a local subnet, it depends a lot on where and how the trace happens:

  • If it happens at the edge of the segment (on the router, for instance), you cannot detect it.
  • If it happens from a machine connected on the same segment (ethernet) simply using promiscuous mode, you can attempt to detect it by sending it a specially crafted ARP request that doesn't use the regular broadcast address and see if you get an answer. If you do, it means the NIC is in promiscuous mode (the technique is described here). NMap can do that for you.
  • If it happens on the local network through ARP poisoning. See this question about how you might detect such an attack.
Stephane
  • 18,557
  • 3
  • 61
  • 70