In my department we are trying to monitor the LAN's traffic as stealthy as possible. Someone gave me the idea of setting up a linux box w/o any IP addresses assigned and run a sniffer such as ethereal. If this lan is running behind a hub, would this be a possible feat?

Thanks,

Stakhous

Not sure what you mean by no IP address assigned, but I know that you can find out the range of DHCP leases allowed and just pick a static IP from outside that range (for example, if the LAN uses 192.168.0.1-192.168.0.40, use 192.168.0.50 as a static IP). Then you still have network access, but the DHCP server won't have a record of your IP assigned.

Unless I'm mistaken though, you'll still be able to be seen from the LAN. You'll probably have to do some fancy firewalling to try to make yourself unseen by the LAN. Also, anytime you access the gateway, you'll probably be logged as being on the network.

I'm not sure you can do that with Ethereal. Non-IP-assigned interfaces are the preferred method for dedicated sniffing devices, though. I'd pick something to use other than Ethereal.

Here's what my BSD box's interfaces look like:

Sniff interface:
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:90:fe:05:0c:ca
media: Ethernet autoselect (10baseT/UTP)
status: active

Management interface:
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 10.150.1.103 netmask 0xffffff00 broadcast 10.150.1.255
ether 00:c0:4f:61:28:1f
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active

Sniffing is *usually* totally passive in nature. Sniffing software usually doesn't send traffic (or receive, for that matter, as the sniffing is transparent).

Also, earlier, I mentioned that sniffing (usually in IDS mode) can be done without an assigned IP and is usually the preferred method of sniffing. The reason an IP is not preferred is to avoid direct attacks on the sniffer.

Unixfool if you dont mind that I ask, what sniffing software do you use? Or what software is capable of sniffing w/o an IP?


And if the computer is not assigned an IP, does this mean that the computer is in effect undetectable? Of course I have heard of ways to detect promiscuous nics on the network, not sure if this sounds accurate.

Thanks

As you're no doubt aware by now I have no idea what I'm talking about... But google turned up this interesting article on IP-less sniffing that you might read while you wait for Unixfool.

I have used Snort in IDS mode in enterprise environments (and at home and on my public server). Snort also has a sniff mode, which is very similar to tcpdump (Snort is in fact derived from tcpdump). I'm usually using IDS mode when using Snort but I don't think it matters with Snort. Either way, you have to use an interface. Maybe I'll test using Snort in sniff mode without an assigned IP on the sniff interface.

And yes, the lack of an IP on the interface makes the interface pretty much invisible. There are tools that can search for promiscuous interfaces, as you've said, but if you use an interface with no IP assigned along with other security measures, you're pretty safe.

Great link pljvaldez, I read the entire article.

And thanks unixfool, I have experience with snort so after work I'm going to set it up and see what I can do w/ an IPless NIC. You have been much help.


Stakhous

Ethereal is passive. If your nic is in passive permiscuous mode, you won't get an IP address. A good idea would be to have two NIC cards, one is your remote access into the box via SSH and the other is the passive sniffer on the targeted network.