This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to use wireshark on pc to find out if network traffic is being sniffed?

0

Hi,

Been searching the web but with not much luck in finding any good info. So wanted to post my question here. How do I set up wireshark to find out if someone is sniffing traffic on my network? And what would I be looking for in the capture to indicate that sniffing is really happening?

thank you for any info you can provide

asked 18 Jun '17, 12:54

Shad's gravatar image

Shad
3113
accept rate: 0%

edited 18 Jun '17, 12:55


One Answer:

1

That depends a lot on your how much control you have over the network.

There are two aspects:

  • the sniffing itself
  • the delivery of the sniffing results.

You can only notice the sniffing itself using Wireshark if the person uses some techniques which actively modifies the network traffic, like arp spoofing or arp flooding, or downloading files from shared folders, all that done on your own compromised machine connected to the network or some machine connected secretly. If they run a passive monitoring tool (wireshark or tcpdump or alike) on one of your machines, or aren't sniffing raw network traffic but some files on the machines instead, you won't see anything using your own passive monitor - Wireshark.

Symptoms:

  • arp spoofing would mean that you'd see wrong associations between destination IP addresses and destination MAC addresses on your LAN (you must know the real MAC addresses of your end devices and gateway elements and search for packets where the IP addresses of these devices are combined with other devices' MAC addresses)
  • mac flooding would mean that you would see packets intended for other machines arriving to your own machine, and likely also a decrease in network throughput (supposing that you use switches rater than real hubs on which this was a normal behaviour)
  • downloading files from shared folders would be seen as file transfers between machines which are not expected to exchange files with each other, but you'd have to arrange mirroring of individual machines' traffic to your Wireshark machine one by one, as it is close to impossible to capture the traffic of the whole network.

You can notice the delivery of sniffing results if there are sessions to unknown destinations getting open by some of your machines, but this may not be a continuous activity so you'd basically have to capture all your traffic over the internet uplink for days to have a chance to spot that, and you'd have to know how your "legal" traffic looks like. And if someone comes to collect the sniffed data with a flashdisk now and then, Wireshark is also not the tool you need.

Oh, and all this is only valid if we talk about wired networks or file transfers; if someone is sniffing your wireless network, it is simply impossible to detect as that can be done fully passively if your wireless passwords have leaked or you use a weak encryption.

answered 18 Jun '17, 13:23

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 18 Jun '17, 13:25

Hi Sindy,

Thanks for your reply and for the info. Yes, sounds difficult. I've checked my arp table and looks ok. I'm not as concerned about my internal network getting sniffed, but more from the external. In other words, am more concerned about my traffic being sniffed from anywhere outside my premises, perhaps even from the ISP. I have read here and there that wireshark may be able to detect if any sniffing is indeed happening. But it sounds like I would have to check every IP address that is captured and see where it is connecting to, and that for sure isn't easy to check and is very tedious. Was hoping there was a tell-tale way to check. Any suggestions would be really appreciated. thanks in advance to anyone that may have a way to check.

(18 Jun '17, 23:32) Shad

I am more concerned about my traffic being sniffed from anywhere outside my premises, perhaps even from the ISP

Well, if your ISP is sniffing your traffic which passes through their network, there is no (0) way for you to notice that. On the other hand, if you (and your users) use secure protocols and do not ignore safety warnings about non-matching certificates, this way the ISP can learn little more than just the list of sites you visit and the amount of traffic which you exchange with them.

Unless you are the U.S. embassy in Russia or vice versa, the ISPs usually have enough more important things to do than spy on their clients. And it is one of the least efficient methods for the a.m. reason. Reportedly (I'm not directly involved in network security) and sadly, non-loyal insiders are the most eficient one.

(19 Jun '17, 13:18) sindy