Is this possible?

the sniffing must be made from inside the system
inside the connection that is
each service/operation made inside any system has a some sort of syn
you just have to find that syn
and notice its change during the act
basiclly i belive its possible

Yes. On something like a hub you can watch dns request packets. Although this isn't a surefire way, alot of the time people will use sniffers that automatically do DNS lookup requests. If you see any copycat lookups to the same places you are visiting it may be a sign you are bieng sniffed. Try making a bogus request and seeing if you see a copycat lookup.

You can test cards depending on ths OS and see if they are in promicous mode. A card in promiscous mode may be doing promiscous sniffing.

If you are on a switched network you can watch for arp posioning attacks, since that is one of the ways to intercept information on switched networks.

Basically you look for a MAC that tries to be multiple IPs. If you see a a computer constiently issuing ARP replies without getting a request that is another sign.

Interesting, This I think I will look into alot more. So there is as I see it many ways to know if you are being sniffed.

Thanks for info :-)

how about ARP Poisoning?
because the main aim of ARP Poisoning is to sniff a computer. But it is not hard to detect, i guess... run a sniffer in your computer (Ethereal) and compare the traffic and when you get a suspicious IP then it means you are beig sniffed, since you compare it with your gateway...
btw, when thinking broadly, the owners of the computers where your traffic goes through can watch what you are doing. ths can be misused and abused, but useful for hunting criminals. because even our phones can be listened by the telecommunication company. that's why encryption is strictly suggested.

or try desniff just place it your box it will tell you if your box is in promiscous mode.
as for a remote anti sniff watching the DNS is good, BUT how about crafting fake telnet or ftp or some services packets and then watching to see if some one tries to use that completely false login? i've done this at work and found that a worker fired 6 months before, was just now trying to take his revenge, and now hes going to court.

not to mention ARP poisoners such as Cain spam the network with ARP update packets that most IDS systems detect.

Cain can be very easily detected as it does not allow to change default mac of fake ip it sets . Its 001122 or something like that . u can check out though ...

Also many promiscus mode scanners are available (just google) . Promiscan is one of them . Or even cain gives an idea of promiscus mode nic's by doing different broadcasts .

as i know, ARP poisoning can be detected easily. no matter which tool you use...
because a network will not allow 2 computers having the same IP... so for anyone familiar with netstat (or ethereal in extreme cases) is an arp poisoning easily detectable...
however, most people are too lazy to do that, and they can get poisoned without noticing...

I spoke with a buddy this weekend about security etc, and he says their firewall will only allow packets to go out the firewall but not back in unless it has a internal ip address as the return ip. So with that say a guy/gal has made some kind of IE exploit but does not have remote access to the network. But he/she knows what the internal ip segmants are, He/She could create a fake packet with the real destination and a internal return address and send it on it's way and when the firewall recieves the packet it would see it is as real. The packet could be a real webpage request and the return address would be coming from an internal ipaddress which looks to the firewall to be a legit IE webpage request coming from an internal ip address This is possible right?


kv--