This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Detecting Wireshark usage

Is it possible to determine if Wireshark is being used on my network. I've found Wireshark installed on an office machine and would like to know if there is a way for me to determine if this machine is being used to capture packets on our network short of manually searching for saved captures on the machine. It would be best if I didn't have to have access to the actual machine running Wireshark to determine it. Even if I have to use Wireshark on another node to determine if they are using it.

Please any help with this would be appreciated.

usage detecting wireshark

asked 08 Apr '13, 13:52

networking
1●1●1●1
accept rate: 0%

3 Answers:

You can't detect a fully passive sniffer on the network, with "fully passive" meaning that the PC running Wireshark (or any other sniffing software) uses a network card with its TCP/IP stack disabled. That way the card will only listen and never talk, so you can't spot it on the network.

If the network card is not completely passive you could try to detect if it is running in promiscuous mode, e.g. be using nmap: http://nmap.org/nsedoc/scripts/sniffer-detect.html

What you can do is examine PCs that have Wireshark installed to see if they created capture files in the past, but that is IT forensics and not network related; it also requires the quite special skill set of a computer forensics specialist.

answered 08 Apr '13, 14:02

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

See also: http://security.stackexchange.com/questions/3630/how-to-find-out-that-a-nic-is-in-promiscuous-mode-on-a-lan . It lists 3 methods of detecting NICs in promiscuous mode (needed to capture packets of other machines).

Also please note that if you are on a switched network, the office PC with Wireshark on it will only see packets to/from itself and broadcasts/multicasts. In order for the PC to see other peoples traffic, it might run tools that do arp poisoning and you will be able to see that on your network when you mirror the traffic on the switch port to this office PC. You will have to run wireshark on another system to make the arp poisoning visible.

answered 08 Apr '13, 14:41

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

0	see my answer to a similar question `http://ask.wireshark.org/questions/14351/detectprevent-wireshark` Regards Kurt answered 08 Apr '13, 14:50 Kurt Knochner ♦ 24.8k●10●39●237 accept rate: 15%