Subject: Detecting Sniffing?
To: Scott Reynolds <scottr@Plexus.COM>
From: Christopher Klaus <cklaus@iss.net>
List: current-users
Date: 01/11/1995 13:09:51
Is it possible to detect whether a program such as tcp dump is sniffing 
by seeing if any of the interfaces are in promiscious mode?

I know you can remove bpf from the kernel as one step in stopping sniffing,
but it is also trivial if someone gains root to recompile the kernel with
it back on.  It might be useful to have a script that periodically checks
to see if the kernel has bpf on and/or check if any interfaces are in promisc
mode.

Thanks,
Christopher

-- 
Christopher William Klaus	Voice: (404)518-0099. Fax: (404)518-0030
Internet Security Systems, Inc.		Computer Security Consulting
2209 Summit Place Drive, Atlanta, GA. 30350-2450.