infus3

How can I tell if someone is sniffing on my network?

27 posts in this topic

This won't work against anyone who knows what they're doing sniffing a network, with a card in monitor mode, unassociated to the network. In this mode, the sniffer gets raw 802.11 frames and also has the benefit of being able to capture packets from multiple networks simultaneously.

This got me thinking on the way home from work. Can you be absolutely sure that the firmware in the wireless card will not interact in some way with the network?

I believe that in the wired-world there are techniques for detecting promisuous clients on ethernet segments, and the only sure way is to use an AUI port (15pin D) transciever with the TX pair disconnected/cut.

There is a possibility that by accident (or by design) that a wireless card in monitor mode might be made to relieve itself from something transmitted at it...

Munge

PS. In general, No you can't tell if someone is sniffing wireless.

0

Share this post


Link to post
Share on other sites
This won't work against anyone who knows what they're doing sniffing a network, with a card in monitor mode, unassociated to the network. In this mode, the sniffer gets raw 802.11 frames and also has the benefit of being able to capture packets from multiple networks simultaneously.

This got me thinking on the way home from work. Can you be absolutely sure that the firmware in the wireless card will not interact in some way with the network?

I believe that in the wired-world there are techniques for detecting promisuous clients on ethernet segments, and the only sure way is to use an AUI port (15pin D) transciever with the TX pair disconnected/cut.

There is a possibility that by accident (or by design) that a wireless card in monitor mode might be made to relieve itself from something transmitted at it...

Munge

PS. In general, No you can't tell if someone is sniffing wireless.

Yes, this is a possibility, although I can say I've never seen it happen in practice. Even on the wired side, I've seen situations where the operating system or the tools used generate traffic that gives it away (such as responding to ARP packets it shouldn't have seen), but never a case where the card's drivers or the hardware itself generated a spurious frame.

It's probably even less likely than a wired card to give you away. Many cards won't even allow you to send frames in monitor mode.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now