This is a static archive of our old Q&A Site. Please post any new questions and answers at

How the sniffer detecting tool works ? (in brief)


i would like to know that how the sniffer detection tool detects the sniffer machine's IP Address on the broadcast domain? Please Dont give an example of nmap tool Thank you! Any Help will be really appreciable

asked 27 Oct '16, 03:38

kelvin's gravatar image

accept rate: 0%

One Answer:


answered 27 Oct '16, 15:52

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%


i want how the detection sniffer tool works, not how to detect the sniffer ! and Please i already used google before and all i got it is bullshit so stop giving me such useless suggestions!

(27 Oct '16, 23:59) kelvin

Hi Kelvin, I already assumed that you used Google to find an answer, so I also assumed you did not succeed in finding the answer. So instead of just posting the answer after googling it myself I wanted to help you with improving your Google skills by showing you how I was able to find the answer. With my search I have found a link to stackexcgange which had the following info:

DNS test - many packet sniffing tools perform IP address to name lookups to provide DNS names in place of IP addresses. To test this, you must place your network card into promiscuous mode and sends packets out onto the network aimed to bogus hosts. If any name lookups from the bogus hosts are seen, a sniffer might be in action on the host performing the lookups.

ARP Test - When in promiscuous mode the driver for the network card checks for the MAC address being that of the network card for unicast packets, but only checks the first octet of the MAC address against the value 0xff to determine if the packet is broadcast or not. Note that the address for a broadcast packet is ff:ff:ff:ff:ff:ff. To test for this flaw, if you send a packet with a MAC address of ff:00:00:00:00:00 and the correct destination IP address of the host. After receiving a packet, the Microsoft OS using the flawed driver will respond while in promiscuous mode. Probably it happens just with the default MS driver.

Ether Ping test - In older Linux kernels when a network card is placed in promiscuous mode every packet is passed on to the OS. Some Linux kernels looked only at the IP address in the packets to determine whether they should be processed or not. To test for this flaw, you have to send a packet with a bogus MAC address and a valid IP address. Vulnerable Linux kernels with their network cards in promiscuous mode only look at the valid IP address. To get a response, an ICMP echo request message is sent within the bogus packet leading to vulnerable hosts in promiscuous mode to respond.

Maybe there are more, the DNS test for me is the most reliable

Which I believe is the answer to your question. So I'm really sorry if you misunderstood my attempt to help you not only get your answer, but also improve your google skills at the same time...

(28 Oct '16, 02:16) SYN-bit ♦♦