Chris Steel wrote: >>What about sniffing inside a firewall. Is there any way yet of = possibly detecting a sniffer? I participated in a study of this sometime back. Summary, not very = likely. =20 A sniffer opens a network adapter in promiscuous mode (all packets = accepted regardless of destination address). On Ethernet detection was = almost impossible. A 10BaseT port that is open but has not seen any = packets transmitted was a trait of the commercial sniffers. On Token Ring, the sniffer would have to participate in the Ring Poll. = You can scan DLC addresses for manufacturer prefixes of known sniffer = makers. Also in an IBM environment, most commercial sniffers will = respond to Lan Network Manager polls with an "IBMNM Trace Tool Present" = broadcast. Using sniffer software on a general purpose workstation seemed to be = undetectable on both topologies. FWIW, Nathan ~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~ Nathan Gentry =09 VP Network Services Spectrum Technologies, Bermuda Internetworking and Security Consultants (441) 296-2578 Tel ngentry@ibl.bm (441) 296-2581 Fax spectrum@ibl.bm ~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~