How do I detect dsniff on my network?
At layer-2: LBL’s arpwatch can detect changes in ARP mappings on the local network, such as those caused by arpspoof or macof. At layer-3: A programmable sniffer such as NFR can look for either the obvious network anomalies or second-order effects of some of dsniff’s active attacks, such as: • ICMP port unreachables to the local DNS server, a result of dnsspoof winning the race in responding to a client’s DNS query with forged data • excessive, or out-of-window TCP RSTs or ACK floods caused by tcpkill and tcpnice dsniff’s passive monitoring tools may be detected with the l0pht’s antisniff, if used regularly to baseline network latency (and if you can handle the egregious load it generates). Honeynet techniques for sniffer detection (such as the sniffer detector at IBM Zurich GSAL) also present an interesting countermeasure of last resort…
