Detecting network packet analyzers

Posted on 1999-01-28
Last Modified: 2010-03-18
So Ive got this rogue laptop thats running some crap OS like 95 who keeps jacking into misc. ethernet ports and running some comercial packet grabber like netxray, LANanalyzer, etc. (Im not sure if its happening but Ive heard rumors).

I know in order for an app like that to work it has to drop the NIC into "promiscuous mode" so that it will grab every packet that goes by.

So my question is.. Is there any way to detect if someone is really grabbing packets or not? Anyone know of some slick tool or software package to detect this?

thanks in advance
Question by:TMcSinly

Accepted Solution

jeffa072897 earned 100 total points
ID: 1588256
In the last 8+ years I have not seen anything that will do this.
I doubt it is possible because of the way promiscuous mode works.
A system just watching the net would not have any reason to send packets back out.
You wouldn't get any where with broadcasts unless the system is configured to
answer them, which the only do normally when used for active troubleshooting.
As long as the traffic is valid and the hardware of the net is correct I don't
see any way to go about finding such a device. To for such a system to work
on the network it would have to function just like any other node even while
in promiscous mode.
The remotest idea I could suggest would presume that the person running the machine you want to find puts the machine on the network using an IP address that works and you
didn't give it out.
The you could write a script to single ping all the addresses on the network and log the
responding adresses. Compare the results to known issued addresses and you might
find the culprit. This is real shakey and may not work, but it could be something to try.


Author Comment

ID: 1588257
ok, thats what i though.... but I just wanted a second opinon

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question