> Is there any way to find out if a sniffer is on the net? Ahh. Addenda of my own to that post... sorry... like I said, I'm tired. First of all, pick up lsof and cpm... ftp://ftp.cert.org/pub/tools/lsof/lsof_3.02.tar.gz and ftp://ftp.cert.org/pub/tools/cpm/cpm.1.0.tar, respectively. lsof will give you information about file and device access by processes, including the process ID of anything currently accessing a device. If you think you're being sniffed and you have a /dev/nit, lsof it to see if your sniffers are being really obvious. Many hackers will make their own NIT device somewhere else... if you trust your find command, # find / -type c -exec /bin/ls -l {} ';' | more Will give you a list of all the character devices on the system. Look for devices in weird places. NIT normally has 37 as it's major and 40 as it's minor number. CPM will show if an interface is in promiscuous mode, pretty reliably unless the intruder went to the trouble of changing the net.o object (couldn't someone feasably reassign the IFF_PROMISC flag to a different hex value in if.h?). It does this by opening a socket and reading the ifconf structure returned by a SIOCGIFCONF ioctl to that socket's file descriptor, and reading the flags out of the returned structure. Somewhere around here I have a program that will scan a system for NIT-type devices. I don't have it handy, so I can't tell you offhand how it works... if I find it, I'll send it your way. ------------------------------------------------------------------------ A s r i e l D e C a t t e a t M 0 C K C h i c a g o , 1 9 9 5 . . . do not lead for I will not follow - do not follow for I will not lead asriel@wookie.net ------------------------------------------------------------------------