Re: sniffer detection on switched based networks

Hi Sangram,

arpwatch [ http://online.securityfocus.com/tools/142 ] keeps a database of IP/ARP pairings and generates logs or emails reporting any changes. That way if a machine running arpwatch is spoofed, the logs know about it.

Since arpwatch is completely passive (only inspecting packets, not transmitting any), it won't clog your network up with any extra packets.

Many operating systems can be told to ignore changes to their ARP cache, so attempting to spoof that machine fails, because it won't accept the new MAC address.

ettercap [ http://ettercap.sourceforge.net/ ] is a program that makes arpspoofing mindlessly simple. Its worth checking out, just to see what wouldbe badguy's can use. Ettercap have forums on their page which sometimes deal with topics of detection/prevention etc.

I'm not aware of much else that can be done to detect such attacks, particularly passively.

Hope this was some help

regards

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Brett
bmh.youth-it.com

> As we know sniffing on swithch based networks is not

http://movies.yahoo.com.au - Yahoo! Movies - What's on at your local cinema? Received on Thu Feb 6 12:58:04 2003