嗅探检测

发布于 2024-09-28 15:40:12 字数 48 浏览 6 评论 0原文

有人能告诉我“测试 ICMP”究竟是如何工作的吗? (检测本地网络嗅探的方法之一)

Can someone tell me how exactly works "test ICMP"? (One of methods to detect sniffing in local network)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

空城仅有旧梦在 2024-10-05 15:40:12

嗅探检测基本上是检测网络中是否存在嗅探器。用于检测它们的嗅探器的主要功能是它们将网卡置于混杂模式,侦听所有流量。通常,嗅探器放置在具有完整 TCP/IP 堆栈的计算机上,该计算机将受到此模式的影响。

ICMP 是 ping 命令背后的协议。要 ping 一台计算机,您可以向其发送 ICMP Echo 请求数据包并等待 ICMP 响应数据包。通常,ICMP 请求嵌入在要通过网络传送的以太网数据包中。标准以太网数据包将包含所寻址网卡的 MAC 地址,以及嵌入式 ICMP 数据包中该机器的 IP 地址。该数据包将被适当的卡检测到,并且该机器将响应 ping。这是标准流程。

现在让我们看看,如果我们发送一个 ping 数据包(ICMP Echo 请求一),其中包含可疑嗅探器地址的 IP 地址,但其中包含不同的错误 MAC 地址,会发生什么情况?以太网信封。

  1. 如果嗅探器机器中的网卡处于混杂模式,则该机器不会接收数据包。机器自然不会有反应。 ping 尝试将会失败。

  2. 如果嗅探器机器中的网卡处于混杂模式,则机器将看到网络中的所有数据包。因此,该机器上的 TCP/IP 堆栈将通过识别接收到的数据包 IP 地址来接受 ping 数据包。因此堆栈将发送响应。 ping 尝试将成功

与其他检测方法类似,这种方法也存在误报和漏报的情况。嗅探器可能会被指示忽略所有 ICMP 请求。检测混杂模式并不完全是检测嗅探器,尽管它是一个非常重要的线索。

Sniffing detection is basically detecting if there are any sniffers in your network. The main feature of sniffers that is used to detect them is that they place the network card in promiscuous mode, listening for all traffic. Typically, a sniffer is placed on a machine with a full TCP/IP stack which will be affected by this mode.

ICMP is the protocol behind the ping command. To ping a machine, you send an ICMP Echo request packet to it and wait for an ICMP response one. Usually, the ICMP request is embedded in an Ethernet packet to be delivered across the network. A standard Ethernet packet would include the MAC address of the addressed network card, as well as the IP address of that machine in the embedded ICMP packet. The packet would be detected by the appropriate card and that machine would respond to the ping. This is the standard process.

Now let's see what happens if we sent a ping packet (ICMP Echo request one) with the IP address of the suspected sniffer address but with a different, faulty MAC address in the Ethernet envelope.

  1. If the network card in the sniffer machine is not on promiscuous mode, then the packet will not be received by that machine. Naturally, the machine wouldn't respond. The ping attempt would fail.

  2. If the network card in the sniffer machine is on promiscuous mode, then the machine will see all packets in the network. The TCP/IP stack on that machine would thus accept the ping packet by identifying the received packet IP address. The stack would thus send a response. The ping attempt would succeed.

Similar to other methods of detection, this has false positives as well as false negatives. The sniffer machine may be instructed to ignore all ICMP requests. Detecting promiscuous mode is not exactly detecting sniffers, though it is a very significant clue.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文