> > All current (2) programs can be detected by comparing the OS programs > with their original distribution versions using MD5 or a similar > cryptographic checksum technique. This has been widely published for > over 5 years. Any sniffer can be slightly modified to change its md5 checksum, so you can't tell if it is a sniffer or just another a.out program in someone's directory. Nor if a hacker uploads a sniffer, runs it, and removes the executable, the only thing you will find as a file might be the log file. And even then, if the sniffer is decent, it never saves the log to any file but rather e-mails or somehow transfers it back to another site. Then you won't be able to search for any files on disk. Also, if its a Solaris machine, you can't tell if the machine is in promiscuous mode, so you can't tell if the machine is even sniffing. The possible chance is if ps shows a process out of the ordinary, but it wouldn't be hard for the hacker to name the process something like in.telnetd or named so it won't stick out, so then you might get lucky, and see a single process eating up lots of CPU if you happen to be on a heavy network. If the sniffer is well written and is only sniffing certian packets, even the CPU usage will not be too noticeable. > > Thus, not only is detection of all Unix-based real-world sniffers not > impossible or infeasible, it is downright easy and simple. Uh huh. For $29.95, Ill send you the sniffer detector kit that will allow you to catch any and all sniffers on your networks. 8-) I also have the Alien Chip Implant Removal kit on sale this month for $19.95. The ACIR is great for keeping martians out of your network. I have created a FAQ on Sniffers that has many products for protection against sniffers and advice for detecting sniffers available at http://iss.net/iss/sniff.htm or send mail to info@iss.net. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071