This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

detect/prevent wireshark?

0

Someone on my network have wireshark. Can someone tell me how i can detect if he capturing my pc-internet packets? I mean detect or prevent wireshark of doing it.

asked 18 Sep '12, 09:30

Johnny's gravatar image

Johnny
1112
accept rate: 0%


3 Answers:

2

Basically you can detect if a system on the same subnet is running a sniffer, if some conditions are fulfilled (see below).

Reason: If the system runs the sniffer, its interface will be in promiscuous mode. The test works like this: Send a ping with the correct IP address into the network but with a wrong mac address. The sniffing host will answer the ping packet, as it will receive every packet in promiscuous mode. There is a ready-to use script in nmap to support this detection.

http://nmap.org/nsedoc/scripts/sniffer-detect.html

HOWEVER: This method only works if,

  • the sniffing host is on the same Layer2 network
  • the sniffing host does not have a firewall that blocks incoming icmp packets
  • the sniffing host does the sniffing with an interface that has TCP/IP enabled, and thus is able to answer the ICMP packet.

BTW: There is no reliable way to prevent the use of a sniffer on a network.

Regards
Kurt

answered 18 Sep '12, 13:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Sep '12, 13:27

0

You can't usually detect Wireshark or any other sniffer that is passively capturing packets on your network, and most of the time that is not a problem at all. In today's switched networks, other PCs do not see your packets, because the switch will simply not forward them to any other node than the one it has to be delivered to. That is, as long as there is no SPAN port running (Switched Port ANalyzer) on the switch, and nobody uses hacking techniques like ARP cache poisoning etc.

answered 18 Sep '12, 12:31

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

Doesn't stop them from running it on a server if they have access, or from sniffing their own link and accessing data or running client apps while monitoring. For that matter, they could be running tshark, dumpcap, or tcpdump.

answered 03 Jun '15, 22:46

Lucidcryotank's gravatar image

Lucidcryotank
26234
accept rate: 50%