This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to determine if Wireshark is being used on my network. I've found Wireshark installed on an office machine and would like to know if there is a way for me to determine if this machine is being used to capture packets on our network short of manually searching for saved captures on the machine. It would be best if I didn't have to have access to the actual machine running Wireshark to determine it. Even if I have to use Wireshark on another node to determine if they are using it.

Please any help with this would be appreciated.

asked 08 Apr '13, 13:52

networking's gravatar image

networking
1111
accept rate: 0%


You can't detect a fully passive sniffer on the network, with "fully passive" meaning that the PC running Wireshark (or any other sniffing software) uses a network card with its TCP/IP stack disabled. That way the card will only listen and never talk, so you can't spot it on the network.

If the network card is not completely passive you could try to detect if it is running in promiscuous mode, e.g. be using nmap: http://nmap.org/nsedoc/scripts/sniffer-detect.html

What you can do is examine PCs that have Wireshark installed to see if they created capture files in the past, but that is IT forensics and not network related; it also requires the quite special skill set of a computer forensics specialist.

permanent link

answered 08 Apr '13, 14:02

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

See also: http://security.stackexchange.com/questions/3630/how-to-find-out-that-a-nic-is-in-promiscuous-mode-on-a-lan . It lists 3 methods of detecting NICs in promiscuous mode (needed to capture packets of other machines).

Also please note that if you are on a switched network, the office PC with Wireshark on it will only see packets to/from itself and broadcasts/multicasts. In order for the PC to see other peoples traffic, it might run tools that do arp poisoning and you will be able to see that on your network when you mirror the traffic on the switch port to this office PC. You will have to run wireshark on another system to make the arp poisoning visible.

permanent link

answered 08 Apr '13, 14:41

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

see my answer to a similar question

http://ask.wireshark.org/questions/14351/detectprevent-wireshark

Regards
Kurt

permanent link

answered 08 Apr '13, 14:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×10
×1

question asked: 08 Apr '13, 13:52

question was seen: 17,144 times

last updated: 08 Apr '13, 14:50

p​o​w​e​r​e​d by O​S​Q​A