To all, Packet sniffing tools like snort, windump, ethereal, and even L0phtcrack3 all use the WinPcap device driver developed at Politecnico di Torino. So, an alternative to detecting sniffing activity on the network is to determine if the packet capture device driver is loaded on a machine. An admin can do this remotely from across the network, or locally during a "live" forensics investigation. Go to: http://patriot.net/~carvdawg/perl.html and check out 'sniffer.pl'. Note: This doesn't detect promiscous mode NICs, but it is an alternative for detecting packet sniffers used on NT/2K systems. Thanks, Carv __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 14 2001 - 07:52:32 PDT