Hi, Been searching the web but with not much luck in finding any good info. So wanted to post my question here. How do I set up wireshark to find out if someone is sniffing traffic on my network? And what would I be looking for in the capture to indicate that sniffing is really happening? thank you for any info you can provide asked 18 Jun '17, 12:54 Shad edited 18 Jun '17, 12:55 |
One Answer:
That depends a lot on your how much control you have over the network. There are two aspects:
You can only notice the sniffing itself using Wireshark if the person uses some techniques which actively modifies the network traffic, like arp spoofing or arp flooding, or downloading files from shared folders, all that done on your own compromised machine connected to the network or some machine connected secretly. If they run a passive monitoring tool (wireshark or tcpdump or alike) on one of your machines, or aren't sniffing raw network traffic but some files on the machines instead, you won't see anything using your own passive monitor - Wireshark. Symptoms:
You can notice the delivery of sniffing results if there are sessions to unknown destinations getting open by some of your machines, but this may not be a continuous activity so you'd basically have to capture all your traffic over the internet uplink for days to have a chance to spot that, and you'd have to know how your "legal" traffic looks like. And if someone comes to collect the sniffed data with a flashdisk now and then, Wireshark is also not the tool you need. Oh, and all this is only valid if we talk about wired networks or file transfers; if someone is sniffing your wireless network, it is simply impossible to detect as that can be done fully passively if your wireless passwords have leaked or you use a weak encryption. answered 18 Jun '17, 13:23 sindy edited 18 Jun '17, 13:25 |
Hi Sindy,
Thanks for your reply and for the info. Yes, sounds difficult. I've checked my arp table and looks ok. I'm not as concerned about my internal network getting sniffed, but more from the external. In other words, am more concerned about my traffic being sniffed from anywhere outside my premises, perhaps even from the ISP. I have read here and there that wireshark may be able to detect if any sniffing is indeed happening. But it sounds like I would have to check every IP address that is captured and see where it is connecting to, and that for sure isn't easy to check and is very tedious. Was hoping there was a tell-tale way to check. Any suggestions would be really appreciated. thanks in advance to anyone that may have a way to check.
Well, if your ISP is sniffing your traffic which passes through their network, there is no (0) way for you to notice that. On the other hand, if you (and your users) use secure protocols and do not ignore safety warnings about non-matching certificates, this way the ISP can learn little more than just the list of sites you visit and the amount of traffic which you exchange with them.
Unless you are the U.S. embassy in Russia or vice versa, the ISPs usually have enough more important things to do than spy on their clients. And it is one of the least efficient methods for the a.m. reason. Reportedly (I'm not directly involved in network security) and sadly, non-loyal insiders are the most eficient one.