The reader is referred here to an earlier article for the basics of sniffer detection. When sniffers are working on switches, the chances of detecting them are higher. In such a scenario the sniffer is not a passive device; it performs certain activities by which it can be detected.
ARP spoofing can be detected using a program called ARP Watch. It is used to monitor the ARP cache of a machine to see if there is duplication. If there is, it could trigger alarms and lead to detection of sniffers. It can be obtained at online.securityfocus.com/data/tools/arpwatch.tar.Z
As is clear from the above sections, one method of sniffing in a switched environment is using ARP spoofing, and the machine that will most probably be ARP spoofed is the gateway. One thing that can be done is to add the MAC address of the gateway permanently to your ARP cache. This can be done by giving the -s flag to the arp command. Read more about this on the arp man page. Alternatively, you could use the /etc/ethers file for placing the MAC addresses of the important machines to prevent spoofing of those machines.
Final words of advice: Use encryption. Switch to SSH and SCP instead of Telnet and FTP.
Sumit Dhar works for SLMsoft.com.
- Readers' Choice Awards 2013
- Mars Needs Women
- RSS Feeds
- Sublime Text: One Editor to Rule Them All?
- December 2013 Issue of Linux Journal: Readers' Choice
- Raspberry Pi: the Perfect Home Server
- IBM Will Minimize Impact of Future Disasters
- Linux Systems Administrator
- Tech Tip: Really Simple HTTP Server with Python
- Senior Perl Developer
- As much as I share your point
22 min 1 sec ago
- So girls had it better ?
3 hours 53 min ago
- Reply to comment | Linux Journal
4 hours 13 min ago
- why is GNOME 3 in the fifth position at 14.1 %?
9 hours 46 min ago
- Sublime Is Brilliant!
14 hours 48 min ago
15 hours 8 min ago
- Rapid[Disk,Cache] better than native ram caching?
15 hours 33 min ago
- Nothing is perfect
15 hours 46 min ago
- Mixtapes Community
21 hours 25 min ago
- KDE is one true DE
21 hours 59 min ago