> From owner-bugtraq@fc.net Mon May 1 11:36:08 1995 > You can't "detect a sniffer" from looking at the net... There are some tricks you can try. Although, they won't work in all cases. 1) rup hostx;generate tremendous amounts of TCP traffic;rup hostx again. If a sniffer is running, most likely the load will go up substancially to deal with the increased traffic. 2) Look for large amounts of name server queries. A telltale sign that tcpdump is running is dozens of requests in a short period of time for reverse lookups. As I said, these won't work in all cases, although the sniffers I've seen floating around in hackers' toolboxes these days will be detected by either of these techniques. -Mike mcn@EnGarde.com En Garde Systems - Computer Security Software and Consulting