Someone on my network have wireshark. Can someone tell me how i can detect if he capturing my pc-internet packets? I mean detect or prevent wireshark of doing it. asked 18 Sep '12, 09:30  Johnny |
3 Answers:
Basically you can detect if a system on the same subnet is running a sniffer, if some conditions are fulfilled (see below). Reason: If the system runs the sniffer, its interface will be in promiscuous mode. The test works like this: Send a ping with the correct IP address into the network but with a wrong mac address. The sniffing host will answer the ping packet, as it will receive every packet in promiscuous mode. There is a ready-to use script in nmap to support this detection.
HOWEVER: This method only works if,
BTW: There is no reliable way to prevent the use of a sniffer on a network. Regards answered 18 Sep '12, 13:11  Kurt Knochner ♦ edited 18 Sep '12, 13:27 |
You can't usually detect Wireshark or any other sniffer that is passively capturing packets on your network, and most of the time that is not a problem at all. In today's switched networks, other PCs do not see your packets, because the switch will simply not forward them to any other node than the one it has to be delivered to. That is, as long as there is no SPAN port running (Switched Port ANalyzer) on the switch, and nobody uses hacking techniques like ARP cache poisoning etc. answered 18 Sep '12, 12:31  Jasper ♦♦ |
Doesn't stop them from running it on a server if they have access, or from sniffing their own link and accessing data or running client apps while monitoring. For that matter, they could be running tshark, dumpcap, or tcpdump. answered 03 Jun '15, 22:46  Lucidcryotank |
