How to detect and prevent network from sniffing

I am pretty sure at the switch level, the switch can determine which ports have network interface cards that are in passive mode. I am also pretty sure that a switch can be programmed to refuse connections of NIC's that are on passive mode.

Now that may prevent a user who is trying to use ARP poisoning on a switched network to sniff traffic. But the most dangerous configuration which is a user sniffing on a hub network would be much more difficult proposition since most hubs have no configuration capabilities.

As previously said, there are programs that can detect which cards are in promisc. mode and then show which IP's and MAC's they have. A program like ettercap has a plugin for this...

But before you can set out to check who's sniffing your packets, you have to know how to sniff others packets. Once you learn that, you'll realise you dont even need a card in promiscious mode for sniffing to become effective...

If your wanting to know who's sniffing between you and with a connection on the same lan/subnet its quiet easy, however, depending on how they are sniffing - it can get very complicated.

Could you be a little more specific ? Or is this just a post curious about anti-hacking methods ?

Well while ago there was a tool on this forum called "Give Me Too" so i decided to try it.I was amazed how powerfull it is.It can sniff almost any kind of traffic(http,irc,mail,icq..).So i thought if there is any kind of protection from it.I know about some sniffing methods are they all based on libpcap or not

lol, yeah, those are just pretty little front ends to it all....

If an experience sniffer (the person who's using the sniff is experience i mean) wanted to sniff your traffic, it wont be hard... But they'd have to sniff at the right locations etc...

SSL isnt a straight protection either, as version1 can be easily sniffed and often most implementations allow either v1 or v2, so you can force a v1 and sniff....

Once you learn more about sniffing you will slowly see more and more ways to sniff and methods to stop your machine being sniffed....

ie, i use to think i was unsniffable on a switch ..... how wrong i really was, and i would not be surprised if i learn of a new method to sniff myself I have not protected myself against....

First post here (hi all )

Well, i always thought a good way to test if a computer is sniffing traffic is to send it a 'bad packet' eg. made up ip, malformed MAC address and if the computer still accepts (which it shoudnt normally) then you can guess its more than likely in Promiscuous mode.

jjjj,

Welcome to GSO And we've seen MUCH worse posts than that as a first

Regarding your theory, im not 100% sure how programs detect wether another card is in promisc. mode - but it is possible. Ie ettercap has plugins for this.

Your theory needs to be compared with the OSI Model, ie the 7 layers of network connectivity. Just because you place your card in promisc. mode, doesnt mean the kernel and/or firewall wont send back an RST packet if the ports closed. Many firewalls will just drop the packet - giving you a false positive - based on your theory. However, im not a genious at the exact workings of how different operating systems treat network packets...

Hacking and security is a way of thinking - and that theory shows you've atleast got what it takes

But dont take my word for it, theres methods you'll learn if you dont know already to test theories like that.

There are very few ways to detect Sniffers or in other words, NIC's in Promicuous Mode. You can use a tool by the name Promiscan v3.0

When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer.Thus some stacks respond to some packets which they shouldnt usually.

So we can use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode.Even this is not a perfect method, as there are ways to circumvent the Stack from replying to those requests is also pretty easy.