3. Detect Network Sniffing

1. Detect ARP Poisoning and promiscuous mode in a switched network

If you have a doubt on a target machine, ping it.

hping3 -c 1000000000 192.168.18.110

Now open Wireshark and edit preferences. Click on protocols options

From ARP menus, select detect ARP and IP spoofing.

Click Analyze from the menu bar and select Expert Information from the drop-down options. The Wireshark . Expert Information window appears; click to expand the Warning node labeled Duplicate IP address configured (10.10.1.11), running on the ARP/RARP protocol.

Arrange the Wireshark . Expert Information window above the Wireshark window so that you can view the packet number and the Packet details section. In the Wireshark . Expert Information window, click any packet (here, 463).

On selecting the packet number, Wireshark highlights the packet, and its associated information is displayed under the packet details section. Close the Wireshark . Expert Information window. The warnings highlighted in yellow indicate that duplicate IP addresses have been detected at one MAC address, as shown in the screenshot.

Nmap promiscuous/ Monitor mode detection

sudo nmap --script sniffer-detect 192.168.18.1

2. Detect ARP Poisoning using Capsa Network Analyzer

Quick detect ARP poisoning & ARP flooding with Colasoft Capsa - Colasoft

Requires use of school and work emails.

We can use hubu framework for arp poisoning

hubu.arp.poison 192.168.18.11 192.168.18.12

In the diagnosis tab, we can locate the ARP warning.

Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy