Re: sniffers

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Tue, 2 May 1995 07:56:20 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jas: "Re: sniffers"
Previous message: Dr. Frederick B. Cohen: "Re: Detecting a sniffer"
Maybe in reply to: froden@yf-kraft.no: "sniffers"
Next in thread: Dios: "Re: sniffers"

>> These are all good ideas, however many sniffers are not Unix systems
>> that can be logged into and examined.  I have worked with DOS based
>> sniffers (Network General Sniffer, Excelan, HP, etc) that are far
>> superior to suns (as sniffers/protocol analayzers) and I doubt that
>> they are easily detectable even with their transmit lead intact.

> I don't think the machine you run sniffer software on could make it
> better or worse, they all get the same packets;)

Not quite.  Some machines designed as sniffers / network analyzers have
special network interfaces that let them see things like packets with
Ethernet CRC checksum errors, runts, giants, etc - stuff that most
Ethernet interfaces either silently drop or just report the existence
of.

Also, the software on a dedicated machine has usually received a lot
more attention to making it useful than the network sniffing software
on a general-purpose machine.  (Unfortunately, it generally is also
completely fixed - you get what someone else thinks is useful, with no
way to modify it to do what _you_ want done.)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

Next message: Jas: "Re: sniffers"
Previous message: Dr. Frederick B. Cohen: "Re: Detecting a sniffer"
Maybe in reply to: froden@yf-kraft.no: "sniffers"
Next in thread: Dios: "Re: sniffers"