Do you know whether your Windows system is sniffing network traffic off the network without your knowledge?  

 

This type of passive attack can be very difficult to detect.  There are numerous third party tools that try to detect network sniffers running on the network by looking for signs of systems with network interfaces running in “promiscuous mode.” Since many of these tools use network-based detection techniques that rely on bugs in operating systems and/or specific sniffer behavior, they can generate false positive and false negative results.

 

I have developed a tool that can detect managed Windows systems that have network interfaces running in promiscuous mode – a key indicator that a network sniffer is running on the system.  I use a host based detection technique instead of a network based detection technique in order to make this tool as accurate as possible.

 

I built two versions of this tool:

  • Promqry – a command line tool
  • PromqryUI – a tool with a GUI

Both of these tools essentially have the same functionality:

  • Query the local system’s network interfaces
  • Query a single remote system’s interfaces
  • Query a range of remote system’s interfaces

Both tools require the .Net Framework to run.  This means you need the .Net Framework installed on the system you run Promqry or PromqryUI from, but not on the remote systems you want to query.  If you don’t have the .Net Framework already installed, you can get it from here:  http://msdn.microsoft.com/netframework/downloads/framework1_1/   The “general users” install package will be sufficient for most users. 

 

You can get both versions of Promqry (for free) from the download center on www.microsoft.com using these links:

 

A command line version:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en

 

A version with a GUI:

http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en

 

I hope you find these tools useful.