Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Detecting network sniffers

Monday, March 14, 2005 Comments

 .NET  Database Development  Security  Speaking 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

Last night ended a series of talks I gave last week in a couple of locations. Last Wednesday, I enjoyed speaking to the Connecticut Access User Group on Security, and I had a great time this weekend delivering four talks at Code Camp III on Security and SQL Server 2005 topics. I was going to speak at the Rhode Island .NET Users Group on Thursday night, but it was postponed again (maybe I will get to speak there someday!).

I will talk more about Code Camp experiences in another post, but I wanted to post this quick follow-up to one of my most popular talks: Penetration Testing of ASP.NET Web Applications (it was so popular that we had to move from a smaller room we were originally in to a much larger room just to accomodate all the people -- and then it was standing room only in some spots!).

One question that was posed was how do you detect if a network sniffer is running on your network? I am not sure as I haven't set up any tools to do that, but a network person afterward indicated it is very, very difficult, if not impossible, to detect. I just noticed this post by Tim Rains (Microsoft) on just such a proposed tool:

Do you know whether your Windows system is sniffing network traffic off the network without your knowledge?  


This type of passive attack can be very difficult to detect.  There are numerous third party tools that try to detect network sniffers running on the network by looking for signs of systems with network interfaces running in “promiscuous mode.” Since many of these tools use network-based detection techniques that rely on bugs in operating systems and/or specific sniffer behavior, they can generate false positive and false negative results.


I have developed a tool that can detect managed Windows systems that have network interfaces running in promiscuous mode – a key indicator that a network sniffer is running on the system.  I use a host based detection technique instead of a network based detection technique in order to make this tool as accurate as possible.

This looks very interesting, and I am looking forward to testing the capabilities.

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook