Subject: Detecting Sniffing?
To: Scott Reynolds <scottr@Plexus.COM>
From: Christopher Klaus <email@example.com>
Date: 01/11/1995 13:09:51
Is it possible to detect whether a program such as tcp dump is sniffing
by seeing if any of the interfaces are in promiscious mode?
I know you can remove bpf from the kernel as one step in stopping sniffing,
but it is also trivial if someone gains root to recompile the kernel with
it back on. It might be useful to have a script that periodically checks
to see if the kernel has bpf on and/or check if any interfaces are in promisc
Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030
Internet Security Systems, Inc. Computer Security Consulting
2209 Summit Place Drive, Atlanta, GA. 30350-2450.