Re: detecting sniffers is downright easy
Kenneth R. van Wyk (krvw@assist.mil)
Wed, 10 May 95 09:45:49 -0400
Dr. Cohen writes:
> ...I thought I would mention that detecting sniffers from a
> real-world point of view is downright easy in almost all cases.
> ...
> All current (2) programs can be detected by comparing the OS programs
> with their original distribution versions using MD5 or a similar
> cryptographic checksum technique. This has been widely published for
> over 5 years.
I agree with the above to a point. The assumption that you are
making is that you have _access_ to the system that has a sniffer
installed on it. The vast majority of sniffed sessions that I am
aware of have involved sniffers running on machines that the victim
doesn't have access to. Picture a sniffer running on your local
Internet service provider's backbone system(s). Anyone connecting
into your site using a static password results in that person's
password being sniffed - with no requirement for a sniffer to be
running on any of the systems within your local domain. Take a look
at a traceroute output from your site to <any other internet site>
sometime and see just how many systems and networks your packets
traverse that you have absolutely no control or authority over. How
would you (legally) detect a sniffer on one of those?
I do agree, however, that it is easy to detect any of the currently
observed sniffers on a host that you have access to.
Cheers,
Ken van Wyk