3. Detect Network Sniffing
A professional ethical hacker or pen tester should be able to detect network sniffing in the network.

1. Detect ARP Poisoning and promiscuous mode in a switched network
If you have a doubt on a target machine, ping it.
hping3 -c 1000000000 192.168.18.110
Now open Wireshark and edit preferences. Click on protocols options

From ARP menus, select detect ARP and IP spoofing.


Click Analyze from the menu bar and select Expert Information from the drop-down options. The Wireshark . Expert Information window appears; click to expand the Warning node labeled Duplicate IP address configured (10.10.1.11), running on the ARP/RARP protocol.

Arrange the Wireshark . Expert Information window above the Wireshark window so that you can view the packet number and the Packet details section. In the Wireshark . Expert Information window, click any packet (here, 463).

On selecting the packet number, Wireshark highlights the packet, and its associated information is displayed under the packet details section. Close the Wireshark . Expert Information window. The warnings highlighted in yellow indicate that duplicate IP addresses have been detected at one MAC address, as shown in the screenshot.

Nmap promiscuous/ Monitor mode detection
sudo nmap --script sniffer-detect 192.168.18.1

2. Detect ARP Poisoning using Capsa Network Analyzer
Requires use of school and work emails.
We can use hubu framework for arp poisoning
hubu.arp.poison 192.168.18.11 192.168.18.12
In the diagnosis tab, we can locate the ARP warning.
Last updated
Was this helpful?