Internet.com ISP-Planet

 


Sections

 • Best of the Lists
 • Business
 • CLEC-Planet
 • Equipment
 • Executive
   Perspectives
 • Fixed Wireless
 • Investor
 • Marketing
 • Market Research
 • News
 • Notable Quotes
 • Politics
 • Profiles
 • Resources
 • Technology
 • Value-Added
   Services
 • Webhosting
Also ...
 • About Us
 • Authors
 • Letters
  • Site Map
 • Technology Jobs


 
ISP Glossary
Find an ISP Term
 
Search ISP-Planet


Search internet.com
 
internet.com

Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

internet.commerce
Be a Commerce Partner
ISP Technology

Best of the ISP-Lists

Managed Security Services

Detecting Promiscuity on Your LAN

Members of the ISP-Security list discuss finding and thwarting packet sniffers on your Local Area Network (LAN).

On the ISP-Security list in October, JGA asked,

"I've got a LAN running on TCP/IP. We are all connected to the same switch, and we use private IP addresses, sharing the same router to get to the Internet. Is there a way to find out if someone is using a packet sniffer on our network?"

TK reassured JGA that his concerns are most likely unwarranted:

"One good thing about having all the workstations connected together through a switch, not a hub, is that packet sniffing becomes much harder to do, as each workstation gets its own network segment. If data comes along the network media, a bridge compares the destination MAC address [definition] carried by the data to MAC addresses contained in its tables.

Normally, packet sniffing occurs at the IP layer (layer 3)—but if someone wished to sniff packets over a switched network, they would have to hack on the data link layer (layer 2), which is basically all your MAC addressing. So in order to sniff a switched network, the hacker must try to fool the switch into broadcasting to a device it isn't supposed to broadcast to."

Others offered their own methods for dealing with packet sniffer concerns:

[AMS suggested] "The best bet would be to install a packet sniffer detector on each and every station connected to the network. A sniffer program works by placing the Ethernet port into promiscuous mode. Consequently, a sniffer detector simply detects that an Ethernet port has gone promiscuous."

[CEB offered] "Send a ping to a MAC (layer 2) address not present on the local net, but with a local IP (layer 3) as the destination. If the card is operating normally, the IP stack never sees the packet. If the card is in promiscuous mode, the OS will promptly respond. This gets layer 3 to tattle on layer 2 status. Most IP stacks do not bother filtering based on the MAC address."

[BL added] "If someone is in promiscuous mode, there are a few tricks you can use to detect it. It's not an exact science, but it is possible to take some countermeasures. See, for instance, LOpht's AntiSniff."

—End

 
Related articles:  
  [Nov. 8, 2000] Making the Most of Your ISP Equipment
  [June 21, 2000] DSL Brings High Speeds and Security Issues

 

 

 

Feedback

Advertising inquiry? Click here!

ISP-Planet's RSS feed

#