Find Sniffer on LAN

local-area-network packet-sniffer

Solution 1:

It is very difficult to detect sniffers, because they work passively. Some sniffers do generate small amounts of traffic and though, so there are some techniques for detecting them.

  • Machines cache ARPs (Address Resolution Protocol). Sending a non-broadcast ARP, a machine in promiscuous mode (a network card that makes the card pass all traffic) will cache your ARP address. Then, sending a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. So, if the machine is responding, it must be sniffing.
  • Most sniffers do some parsing. Sending huge amount of data and pinging the suspect machine before and during the data flooding. If the network card of the suspected machine is in promiscuous mode, it will parse the data and increase the load on it. This way it take some extra time to respond to the ping. This little delay can be used as an indicator of whether a machine is sniffing or not. It could provoke some false positive, if there were some "normal" delays on the network because of high traffic.
  • The following method is old and not reliable any longer: sending a ping request with the IP address of the suspect machine but not its MAC address. Ideally nobody should see this packet as each network card will reject the ping because it doesn't match its MAC address. If the suspect machine is sniffing it will respond as it does not bother rejecting packets with a different Destination MAC address.

There are some tools which implment these techniques, for example open source tools like Neped and ARP Watch or AntiSniff for Windows, which is a commercial tool.

If you want to prevent sniffing, the best way is to use encryption for any network activity (SSH, https etc.). This way sniffers can read the traffic, but the data won’t make no sense to them.

Solution 2:

Packet sniffing is a passive activity, it's generally not possible to tell if someone is sniffing your network. However, in order for someone on an wired, switched LAN to see traffic that's not destined just to or from their IP (or broadcast to the network/subnet) they need to either have access to a monitored/mirrored port that duplicates all traffic, or install a 'tap' on the gateway.

Best defense against sniffing is decent end-to-end encryption, and physical controls on sensitive hardware.

Edit: CPM, Neped, and AntiSniff are now 10-15 years stale... Think Linux kernel <2.2 or Windows NT4. If someone has access to a tap or mirror, it will generally be very difficult to detect. Manipulating ARP or DNS is probably the best bet, but it's far from a sure thing.

Solution 3:

The (I believe) only way you can sniff all traffic on a switched LAN is with a 'man in the middle' attack. You basicly do ARP poisoning, stealing everyone's packets, reading them and sending them to the right computer afterwards.

There are probably multiple tools that can do this, I only know of one:

Ettercap can both perform the Mitm attack and detect one when someone else is doing it.

Related

Expression for two people whose similar personalities makes it difficult for them to get along?
What's the category name of "city" and "rural"?
Using "to my mind"
When was the expression "Indian file" first used in English? [duplicate]
Grammar/case in a salutation/greeting
Punctuation of an exclamative question
"To buy a bed with" vs "to play a ball with"
Professors and Students
phonetics vs. phonology [closed]
A term for the object of insincere justification
"Scampi" in American English?
"May not" -- no choice vs. mere restriction