tags:

views:

34

answers:

1
+2  Q: 

Sniffing detection

Hi, Can someone tell me how exactly works "test ICMP"? (One of methods to detect sniffing in local network)

+1  A: 

Sniffing detection is basically detecting if there are any sniffers in your network. The main feature of sniffers that is used to detect them is that they place the network card in promiscuous mode, listening for all traffic. Typically, a sniffer is placed on a machine with a full TCP/IP stack which will be affected by this mode.

ICMP is the protocol behind the ping command. To ping a machine, you send an ICMP Echo request packet to it and wait for an ICMP response one. Usually, the ICMP request is embedded in an Ethernet packet to be delivered across the network. A standard Ethernet packet would include the MAC address of the addressed network card, as well as the IP address of that machine in the embedded ICMP packet. The packet would be detected by the appropriate card and that machine would respond to the ping. This is the standard process.

Now let's see what happens if we sent a ping packet (ICMP Echo request one) with the IP address of the suspected sniffer address but with a different, faulty MAC address in the Ethernet envelope.

  1. If the network card in the sniffer machine is not on promiscuous mode, then the packet will not be received by that machine. Naturally, the machine wouldn't respond. The ping attempt would fail.

  2. If the network card in the sniffer machine is on promiscuous mode, then the machine will see all packets in the network. The TCP/IP stack on that machine would thus accept the ping packet by identifying the received packet IP address. The stack would thus send a response. The ping attempt would succeed.

Similar to other methods of detection, this has false positives as well as false negatives. The sniffer machine may be instructed to ignore all ICMP requests. Detecting promiscuous mode is not exactly detecting sniffers, though it is a very significant clue.

Muhammad Alkarouri  2010-10-18 23:02:37
Thank you very much. That's exactly what I need :) Do you know maybe how to send some icmp packet like this (to suspected ip but different, faulty mac address) in .NET/C#?
Saint_pl  2010-10-19 06:01:22

related questions

Windows packet sniffer that can capture loopback traffic?
Sockets and Processes in Java
Getting the Hostname or IP in Ruby on Rails
How do I measure bytes in/out of an IP port used for .NET remoting?
How do I read and write raw ip packets from java on a mac?
Tool for degrading my network connection?
How do you find out which NIC is connected to the internet?
How do you parse an IP address string in C#?
Spread vs MPI vs zeromq?
How do you get the ethernet address using Java?
Leaving your harddrive shared
Should a wireless network be open?
Wifi Management on XP (SP2/SP3)
Broadcast like UDP with the reliability of TCP
Default Routes
Optimizing for low bandwidth
What workshops / user groups / conventions do you attend?
Why is Peer-to-Peer programming a hard topic to obtain good research for?
Boundary Tests For a Networked App
Remoting server auto-discovery. Broadcast or not?
How do I interpret 'netstat -a' output
Default Internet connection on Dual LAN Workstation
Objective-C/Cocoa: How do I accept a bad server certificate?
Easiest way to provide VPN access easily for all client OSes?
How to setup Quality of Service?