> Is there any way to find out if a sniffer is on the net? Sure. If you have access to the machine you suspect is being sniffed from. Get on the system and do an ifconfig -a. Make sure nothing is in promiscuous mode. It shows up in most (<cough>) if's as a flag (taken from struct ifnet, neh?) - IFF_PROMISC i believe. You'll see it in ifconfig as PROMISC along with the rest of the flags. Some systems (I know SunOS does this) also have an entry in the network interface structure for how many times an interface has been requested to go into promiscuous mode. If an interface is in promiscuous mode, and you're not sure you didn't set it that way on purpose (something like netwatch, in which case a sniffer IS running, but it's yours...), then there's a good bet a sniffer's running. Don't trust ifconfig unless you're sure it wasn't modified. Patches for ifconfig that won't report a network interface in promiscuous mode are floating around (rootkit, <cough><cough>). ifconfig is one o' dem happy files you want to keep a personal copy of and an MD5 signature on. If nothing comes up as promiscuous, or your system doesn't have a flag for promiscuous mode (Solaris 2.4?), some other things... Look for /dev/nit (Sun's network interface tap, a device that allows the system direct raw access to a network) if you have a Sun. I don't know what the correspondents to the NIT are on other systems (can anyone elucidate on this topic? I'm somewhat interested, since my proficiencies in these matters really only reside with SunOS). If it's there, and you believe the system it's on may have been comprimised, be worried. This isn't really reliable unless you're sure /dev/nit isn't compiled into the kernel... it's pretty trivial (very) to just go to some remote corner of the system (how many of you people check what's in things like /usr/lib/font?) and mknod a new device with the appropriate major and mminor numbers for a NIT. Try this: # cd /tmp # touch snifftrap # telnet localhost blahblah ^] # telnet some.external.host blahblah ^] # find / -newer snifftrap -print This'll tell you any files that got accessed after you touch'd "snifftrap", and it should give away the presence of any sniffer logs on your system. Don't trust this unless you're sure your find command hasn't been tampered with. Same situation with ifconfig - find patches ain't hard to come across, and aren't to damn hard to write. A really unreliable check you can do that will foil the lame would be to do a find for suspiciously named files... find / -name "*sniff*" -print, find / -name "es" -print, etc. System admins I've known have tried things like bombing the echo ports of all the systems on a network and seeing which systems lag badly or load up (the rationale being that systems with sniffers will be burdened by the sniffer reading all the packet's it's taking in). I guess if you're really that worried about sniffers, you could also bomb a system on the ethernetwork that you DON'T suspect is being sniffed from, and watching to see which other systems on the net lag when you do it. Sorry for the lack of coherency in this message... check out when I wrote it... =P Any addenda? ------------------------------------------------------------------------ do not lead for I will not follow - do not follow for I will not lead ------------------------------------------------------------------------ main(){for(;;){fork();}}