OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Anthony D. Eaker (radu7PIPELINE.COM)
Date: Sat Mar 31 2001 - 09:53:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Clipping (or not connecting) the Tx wires on a 10/100Base-T (RJ45)
    connection won't work (if you've got one that does I'd be interested in
    knowing what make of NIC/Hub you are using!). The NIC/Hub on a 10/100Base-T
    connection need the Tx pair to send link-pulses to maintain a connection.
    You can, however, do this on an older NIC that uses an AUI interface by
    clipping the Tx pins on the transceiver. See section 3.6 of the following
    FAQ, which contains other very useful info on detecting packet-sniffers
    etc...

     http://www.robertgraham.com/pubs/sniffing-faq.html

     Anthony

    > ----- Original Message -----
    > From: "Howard, Aaron" <ahowardNOERRORS.COM>
    > To: <FOCUS-MSSECURITYFOCUS.COM>
    > Sent: Tuesday, March 27, 2001 2:24 PM
    > Subject: Re: Can packet sniffing be detected?
    >
    >
    > > Why not make a custom cable (assuming a 10/100Base-T connection)
    > > that does not connect the TX wire(s) to the RJ45 connector on the
    > > NIC end?
    > >
    > > I cannot think of a way to detect a node on a network if it
    > > is physically impossible for it to transmit packets.
    > >
    > > If you dedicate a machine to sniffing (not a bad idea) then you
    > > can always leave it in and no one will ever know its there...
    > > unless of course they come in your office and ask "What's that
    > > computer doing?"
    > >
    > > To which you'll have to respond "I could tell you, but then I'd
    > > ..." no that's been done too much.
    > >
    > > If you're running 802.11 or some other medium, I don't know how
    > > you avoid transmitting altogether without damaging your NIC and/or
    > > writing your own driver...
    > >
    > > -Aaron
    > > ==
    > > Aaron Howard, CCNA, CNE, MCSE, RHCE
    > > The Computer Group, Inc.
    > > ahowardnoerrors.com
    > > pgp key on public key servers
    > >
    > >
    > > > -----Original Message-----
    > > > From: bgreenbaum [mailto:bgreenbaumSECURITYFOCUS.COM]
    > > > Sent: Monday, March 26, 2001 8:31 PM
    > > > To: FOCUS-MS
    > > > Cc: bgreenbaum
    > > > Subject: Re: Can packet sniffing be detected?
    > > >
    > > >
    > > > Check out AntiSniff from L0pht:
    > > > http://www.securityfocus.com/templates/tools.html?id=1541
    > > > or
    > > > http://www.securitysoftwaretech.com/antisniff/index.html
    > > >
    > > > It uses network latency to determine if a particular host is in
    > > > promiscuous mode.
    > > >
    > > > Of course, there's also AntiAntiSniff
    > > > http://www.securityfocus.com/tools/336
    > > > which claims to be able to fool this kind of testing. I have
    > > > not tried it
    > > > myself, so YMMV.
    > > >
    > > > Ben Greenbaum
    > > > Director of Site Content
    > > > SecurityFocus
    > > > http://www.securityfocus.com
    > > >
    > > >
    > > > On Mon, 26 Mar 2001, SpamCube wrote:
    > > >
    > > > > I am running a Windows 2000 based packet sniffer (Commview) on a
    > > > > Windows/Novell network. I was wondering if there are any
    > > > way that a packet
    > > > > sniffer could be detected on a network.
    > > > >
    > > > > Thanks.
    > > > >
    > > >
    >