North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: sniffer/promisc detector

  • From: Chris Brenton
  • Date: Fri Jan 16 21:25:39 2004

On Fri, 2004-01-16 at 18:00, Gerald wrote:
>
> I should probably mention that I've already started looking at antisniff.
> I was hoping to find something that was currently maintained and still
> free while I investigate antisniff's capabilities.

Antisniff is still the best software based tool for the job. It has far
more extensive testing that anything else I've looked at. 

Of course the one blind spot with antisniff is that it can only detect
sniffers that have an IP address assigned to them. To detect these you
have to look at your switch statistics. Dead giveaway is a host
receiving traffic, but never transmitting. There is a false positive for
this condition however which is a hub plugged in the switch with no
hosts attached.

HTH,
C