This topic has been archived. It cannot be replied.
-
工作学习 / 专业技术讨论 / 对不起我现在脑袋一片空白,嘿嘿,闷个闷蹄:怎样发现局域网上的sniffer(同一broadcast domain里设成promiscuous mode的网卡)--见网页链接: #3624860
-linjiaotou(林教头);
2007-4-19
(#3624864@0)
-
no, except for some1/something that have full access(network/host) to all the ports on the switch and all the ways down to each node.
-buma(buma);
2007-4-19
(#3624892@0)
-
yes i AM talking about having full access...say, i am the network admin.
-linjiaotou(林教头);
2007-4-19
(#3625095@0)
-
so check the host software inventory list on each node, look for any instances of packet sniffer software. :Dhere is a simplifed list of common sniffer software.
http://www.tech-faq.com/packet-sniffer.shtml
-buma(buma);
2007-4-19
{98}
(#3625135@0)
-
this is not practical. you would not only need root access to each host, but also need a whole lot of time checking one by one! - my client has thousands of suspicious hosts on multiple broadcast domains.
-linjiaotou(林教头);
2007-4-20
(#3625886@0)
-
rational thoughts... ;), I once thought about the same idea of how to do web search like google's. and had the conclusion it was not practical of sending so many webpage spiders.but heck, it was a huge success. :(. so sometimes, the most unpractical way might be a successful one. ;)
-buma(buma);
2007-4-20
{106}
(#3625911@0)
-
appreciate ur input. u sound like a seasoned network professional. though the reality is...i'll be only there for a few hours playing an external consultant role, instead of being the actual admin who can spend days and weeks figuring out and setting up automated jobs/scripts to log onto each host (instead of interactively/manually logging in) to find the sniffer tool, or running process, or NIC interface status.
:)
-linjiaotou(林教头);
2007-4-20
{332}
(#3626019@0)
-
if u r network admin, u probably know packet sniffer is undetectable by nature. the only thing is to aggressively and proactively look for them.
-buma(buma);
2007-4-19
(#3625142@0)
-
undetectable (remotely without getting on the host)? i am not sure. that's why i am asking here.
-linjiaotou(林教头);
2007-4-20
(#3625877@0)
-
why are we able to detect other promiscuous NIC on the LAN? - here's the simple reason.By performing a fake ARP broadcast, we can determine if a NIC is in promiscuous mode or not. If the checked host is in promiscuous mode it will responds with an ARP response otherwise it drop the packet.
-linjiaotou(林教头);
2007-4-22
{203}
(#3629789@0)
-
try antisniff. even tho I doubt it
-buma(buma);
2007-4-19
(#3625149@0)
-
thx - i'll check out this one along with promiscan recommended in the forum next door.
-linjiaotou(林教头);
2007-4-20
(#3625872@0)
-
try this: http://www.microsoft.com/downloads/details.aspx?familyid=1a10d27a-4aa5-4e96-9645-aa121053e083&displaylang=en
-pnpn(双飞雁);
2007-4-21
(#3628187@0)
-
多谢,你这一帖太及时了。我今天用的是这个和Unix上的nast!
-linjiaotou(林教头);
2007-4-22
(#3629779@0)