Transcript Slide 1

COEN 252 Computer Forensics
Remote Sniffer Detection
Sniffer Detection

On the Host




Look for capture files (typically big and
growing).
Look for a promiscuous card.
Look for unauthorized connections or
processes.
On the Net

Much harder.
Network based Sniffer
Detection



OS specific tests.
DNS tests.
Network latency tests.
MAC detection



Each Network Interface Card (NIC) has
a unique Medium Access Control (MAC)
address.
Ethernet driver might have a flaw.
Build a echo request with the correct IP
and the wrong MAC
MAC Detection



Only a NIC in promiscuous mode will
pick up something with a wrong MAC
address.
The “Echo Request” package is passed
up the stack to the IP layer.
IP layer answers it.
MAC detection
ARP Detection



Send an arp request with false MAC and
correct IP address.
Only promiscuous NIC will pick up
package.
Kernel sends ARP reply.
DNS Detection Technique


Password sniffers (or sniffers not in
stealth mode) generate network traffic.
Sniffers use reverse DNS lookup


Because they think they found a password
and want to know the system.
Because they want to provide the user with
the name of the machines.
DNS Detection Technique
Load Detection Technique



Sniffers are hard on the machine
resources.
Sniffer degrades performance when
there is a lot of network load.
Hence, generate lots of network load
and measure timing.
Load Detection Technique
Bait Technique

Create telnet for a fake telnet server.
With lots of logins + passwords.
Sniffer takes bait.
Telnet attempts to non-existing server.

Works like a honey-pot.


