how to detect sniffers on the network
 

I have a lan consisting of windows machines. I use my fedora8 laptop on the same network.
I wish to detect any machine running a sniffer. For that I should detect if any of the interfaces is in promiscuous mode.
I donot want a readymade tool for that, can someone suggest a manual method - I mean a set of commands from the terminal window to do that?
thanks in advance
nishith

Sniffers are passive, like radar detectors.

Unless the sniffer also generates traffic which is distinguishable from traffic the host may also generate ordinarily, you will not be able to detect a sniffer. Promiscuous mode simply means that the interface captures all packets that it detects, not just packets whose destination MAC matches the host interface's MAC and broadcasts/multicasts. Promiscuous mode listening has no influence on the network itself.
--- rod.

Think of it like how a nose works. You smell or sniff the odor in the air but don't return the odor itself when you exhale. ;)

Do you use hubs or switches? If you use switches, then traffic between host A and host B is direct, and another host, host C doesn't see it. Host C can only see broadcasts and it's own traffic.

sorry guys I think, I need to clarify what I wish to do....
I wish to detect sniffers if any exists on the network. If there are any sniffers they got to be in promiscous mode, so if I find out all users who have their nw card in promiscous mode I am probably close to the solution.
I can use ifconfig , ip , ifpromisc etc utilities to detect if nw card is running on promiscous mode locally, but to detect it over nw I need some other tricks ?
one way is to send a arp request with a bogus mac address to the suspected machine. if it replies it is in promisc mode - isn't that right ?
any more such ideas ? or any other such tips ?
thanks in advance
nishith

No you were quite clear, but everyone else above was too. The only way you can tell if the NIC is in promiscuous mode is to get on the box, and see how the driver is loaded. You'd either need to scan the box with SNMP, which may not work, since the driver information may not be in what's returned. Or you can connect to every box, and burp out full driver-information and card settings.

A sniffer does just that...sniffs. Any packets coming across aren't modified, just looked at. It's totally passive. If that box is doing ARP table posioning, you may be able to detect it, but that's an "if".

The fact that a host is listening in promiscuous mode should not affect any behavior of the rest of the network stack. If it does, it is a lousy sniffer.
To help you understand this, you should think back to the early days of networking, when packet sniffers were dedicated Test & Measurement instruments, made by companies such as Agilent (then, Hewlett Packard), Tektronix, etc. One of the tenets of good T&M is that it should have zero effect on the device or system which it is measuring. In the case of network packet sniffers, this means that it should not generate any traffic that would not be otherwise present in the network under test, or if it does, it should be indistinguishable from normal traffic.
Your assumption that any sniffer present on a network would necessarily be running on a Linux (or any other standard OS) host fails to cover the possibility of some dedicated traffic monitoring device, such as the T&M instruments I refer to above. Even a PC hosted device can operate as a dedicated sniffer, without the aid of any OS (I have done this).
Your best hope of detecting any device might come from information gleaned through the management side of managed switches, but at best, you could make only vague inferences.
As jschiwal has already mentioned, switched networks are already quite immune to traffic sniffing, and if you are using switches, instead of hubs, there is little traffic that is visible to a sniffer.
--- rod.

ettercap + plugins..

http://www.irongeek.com/i.php?page=v...-with-ettercap

VERY NICE!

ok guys here is a technique to detect nw cards that are in promisc mode.
compose an ARP request packet as under :-
Ethernet address of destination FF FF FF FF FF FE
Ethernet address of sender <Own NIC’s Device Address>
Protocol type (ARP = 0806) 08 06
Hardware address space (Ethernet = 01) 00 01
Protocol address space (IPv4 = 0800) 08 00
Byte length of hardware address 06
Byte length of protocol address 04
Opcode (ARP request = 01) 00 01
Hardware address of sender of this packet <Own NIC’s Device Address>
Protocol address of sender of this packet <Own PC's IP Address>
Hardware address of target of this packet 00 00 00 00 00 00
Protocol address of target <IP Address of the machine you suspect to be the sniffer>

You will get a arp reply from the suspected machine if it is running the nw card in promisc mode.
To check all machines in the LAN , write a script to send this crafted arp request packet many times, each time with a different IP address in the protocol address of target.

I tried it out on ethereal and a number of other sniffers , they were all caught or returned a positive with this test.

There is a very good document on this with explanation - "Detection of Promiscuous Nodes Using ARP Packets"
at www.SecurityFriday.com.

thanks
nishith

Not if the sniffer is in hidden arp mod:

http://www.ssi.bg/~ja/#hidden