> > These are all good ideas, however many sniffers are not Unix systems that > > can be logged into and examined. I have worked with DOS based sniffers > > (Network General Sniffer, Excelan, HP, etc) that are far superior to suns > > (as sniffers/protocol analayzers) and I doubt that they are easily detectable > > even with their transmit lead intact. > > I don't think the machine you run sniffer software on could make it better > or worse, they all get the same packets;) > > Patrick > | Patrick J. Horgan Amdahl Corporation \\ Have | The original question was whether a sniffer could go undetected on a network. My point is anyone with physical access to the network could do it with a machine nobody can log into, much less detect. These sniffers only generate traffic when instructed to, so with or without transmit leads these are probably undetectable. As for the machine running the software, there is a world of difference in the diagnostic capabilities of a dedicated sniffer vs the typical Unix box. Busy Unix systems are more likely to drop packets than a dedicated sniffer (so they don't necessarily see the same packets). You could certainly spend the time to disassemble the raw data collected by the Unix system, but the sniffers make this much easier. Even Solaris' snoop (which is better than etherfind) is not as comprehensive as Network General's sniffer. I have also used X based protocol decoders that read RMON probe data that are excellant, but again, the data is collected by a dedicated network probe. BTW- I'm not knocking Unix based systems for network analysis- I use them all the time and it is usually much easier than lugging a portable to the floor or subnet in question. For 95% of my network analysis, Unix utilities are more than adequate. But if I was an intruder with physical access to a network, I'd probably use a dedicated sniffer- no need to cut transmit leads or crack a system to get in. My point is merely that these machines give superior analysis capabilities and are probably undetectable. Colin