This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I know if somebody is using wireshark to analyze traffic on the network?

asked 01 Jan '11, 17:18

skypemesm's gravatar image

skypemesm
46669
accept rate: 0%


While packet sniffing is generally quite passive, in that you are meant to be listening to just copies of packets there are techniques. As Hansang said one way is to detect how the network responds to certain ARP packets. Machine in promiscous mode (which Wireshark will normally have turned on, respond slightly different to non-promiscuous boxes. Another thing is to look for the name resolution queries that a Wireshark client might be using. If Wireshark has NR turned on, it will try and do a reverse lookup on IP addresses it sees. So if you inject a packet into the network with an IP address that other boxes are unlikely to be using, you might see Wireshark trying to do this reverse lookup.

In either case this isn't proof of wireshark use, and can probably be countered by appropriate configuration by the wireshark user.

To be honest if you want to try and manage the impact of packet sniffing on your network you are best off a) having a clear policy for your staff or those authorised to use network - and enforce it as a people management problem and b) lock down your network with appropriate configuration and have appropriate authentication/authorisation/auditing for system administration of your network.

In my opinion, if you are concerned about Wireshark use on you network, then you probably need to look at the broader issues of appropriate network security policy (such as encryption, network access control, separation of duties, and so on).

permanent link

answered 01 Jan '11, 19:20

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

In a modern network using switches, they wouldn't be able to do much w/o resorting to arp poisoning or flooding. But other than tat, I'm not sure how you could tell.

permanent link

answered 01 Jan '11, 18:07

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

All of the above is correct. However, if you have reason to suspect a specific user, there is a way to detect for certain that their network card is in promiscuous mode.

This needs to be done on the local network segment...

Assume the suspected computer has a MAC of AA:AA:AA:AA:AA:AA - use Hping3 to craft a ping (ICMP type 8) to the correct IP address, but a destination MAC address of ZZ:ZZ:ZZ:ZZ:ZZ:ZZ. If the NIC is is normal operation, it will ignore the packet and you will get no response. If the NIC is in promiscuous mode, it will process the packet and pass it to the TCP/IP stacks. You will get a response.

Works in my testing anyway...

permanent link

answered 28 Oct '13, 06:00

kpalmgren's gravatar image

kpalmgren
1446
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×20

question asked: 01 Jan '11, 17:18

question was seen: 28,744 times

last updated: 28 Oct '13, 06:00

p​o​w​e​r​e​d by O​S​Q​A