# Is packet sniffing detectable?

## geders

Hello all.  I am wanting to use something like "ethereal" packet capture program to monitor any connections to and from my machine, but I was wondering if this is detectable?  Basically, my machine is hooked up at a university laboratory basically 24 hours a day, and I am concerned about security, but I don't want to piss the sysadmins off down here...we've got probably 60-80 SGI machines down here, and I don't want to raise any eyebrows...I'm assuming packet sniffing is purely passive, but want to make sure...

----------

## Ethernal

no, ethereal only logs traffic that passes through your box. so, no worries there. good luck! (sysadmins are always touchy about there networks)   :Rolling Eyes: 

----------

## RagManX

There are actually ways to detect sniffing, but they are very unreliable and give many false positives and false negatives.  If you sniff in non-promiscuous mode (only sniff traffic destined to and originating from your machine) then it is pretty much impossible for that to be detected.

Having said that, there are better ways to watch your machine than ethereal.  If you haven't ever spent time studying ethereal captures, you might be in for a bit of a surprise once the traffic starts rolling in.  I would recommend installing something like snort instead (ebuild is available) and letting it watch for you.

RagManX

----------

## geders

Promiscuous mode is enabled by default...is that detectable?

I am wanting to get snort up and running, but it is a bit more involved...just need to find the time...

----------

## klieber

Yes, sniffing is detectable, but extremely difficult.  Here's one method describing how to do it.  Search google for others.

I wouldn't worry too much about being detected.

--kurt

----------

## pjp

You could always inform the Admins that your are sniffing your machine for security.  If they are reasonable people, then they might not mind, and knowing about it before they find it would be helpful.

----------

