In reply to Paul Jakma's flatulent wordings,
> On Sat, 10 Mar 2001, Andrew Betson wrote:
>> > Anyone know about this...?
>> he's right... the sniffer is invisible. course the box isn't, unless
> setup to do bridging.
Why must the box be bridging to be effectively invisible? Much as it won't
reply to network traffic very well without TX, it also won't bridge very well
:)
> the only clue is if the network card is in promiscious mode, then an
> attacker could maybe be clued in by the box being a little bit slow
> with network replies, and perhaps getting slower as the box gets
> busier.
Yep, I believe that's the catchall test in AntiSniff, they have a few OS
specific ones aswell like sending an ethernet frame with the hardware address
of machine a (an arbitrary machine) but inside that, an ICMP echo request
packet with the address of machine b (a linux box). If machine b isn't in
promiscuous mode, the network card hardware will never pass that packet to the
kernel, if it is, Linux will respond to it, because it assumes that the packet
was destined for that machine. Quirks like these, although not right or
wrong, exist for different OSs and can be used to detect sniffing
the TX disabling is certainly the most subtle way of going about it, but also
the most awkward
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
