Sdraveite,
 njakoi snaeli tool sa otkrivane na sniffer-i v v local-nata
mreza???
 Po princip namerih njakolko no sa Solaris i BSD , a as sam s
RedHat 9

Какво си намерил?

Защото аз съм ползвал snort, но не знам дали я има в RH.

 Ami Sniffdet naprimer, no sas nego problema e 4e nemoga da
 kompiliram - bibliotekite mi sa po-nova versia i neste da gi
rasposnae :(((
$./configure
...
checking for libnet-config... no
 configure: error: "*** libnet-config not found! You need it
to build sniffdet! ***"

 Vapreki 4e si ka4ih libnet , no versia 1.1.x , a sniffdet
mai iska 1.0.x
Njakakvi idei???

Znahi ot snifferite v LAN nqma spasenie.. :)
 I az dosta sa se pochudil po tozi vapros i edinstvenoto,
 koeto mojah da izmislq e da nabivam na raka MAC-ovete, s
 koito si govorq v arp cache, za da ne mogat da mi kill-vat
TCP vrazkite.
 Moje bi nqkakav kompromisen variant sa tunelite, no nqma
takova neshto kato zashtita sreshtu sniff po LAN.

 Vaprki tova 4isto teoreti4no e vasmozno da se otkrijat PC-ta
 4iito karti sa na promisc-mode - naprimer is net-a se
 raprashtat paketi - mnogo paketi - normalnite PC-ta prosto
 gi ignorirat sastoto ne sa sa tjah , a tesi s promisc-mode
 se nimavat s tjah -> togava moze da se sravni
 latenz-vremenata sas latenz vremenata na ping predi
 "navodnjavaneto" s paketi... Ima i drugi tehniki koito
 nesadrastvat mrezata , no sega da si pisha sam script sa
 tova - nesnam dali e po moite vasmoznosti :((( A i njakoi
 drug po-umen ot men sigurno otdavna se e setil sa nesto
takova :))

 sniffer-ite rabotqt na printzip Man-in-the-middle i ti
zarazqvat 
ARP cache-a.Tva go garantiram. 
Mozesh da poznaesh po arp cache na tvoqta mashina. 
Slozi si i APRWATCH programata i tq shte sledi vsichki 
promeni v mrezata-taka mozesh da hvanesh MAC-ovete na 
eventualnite sniffer-i. 
Drug nachin ne sum chuval.Ako namerish nie shte se radvame 
da go spodelish /SGM bi kazal syshtoto siguren sum :))/

 Специално за откриване на системи в promisc mode и за много
 други способи за анализ на мрежата върши чудесна работа и
една програма, казва се hunt. Работи с arp. Много е яка.

neped.c
no poneje mnogo trudno go otkrih - shte vi go paste-na:


 /* -----------------------------------------
     Network Promiscuous Ethernet Detector.
      Linux 2.0.x / 2.1.x, libc5 & GlibC
   -----------------------------------------
         (c) 1998 savage@apostols.org
   -----------------------------------------
   Scan your subnet, and detect promiscuous
   linuxes. It really works, not a joke.
   ----------------------------------------- */
   
/*
 * $Id: neped.c,v 1.4 1998/07/20 22:31:52 savage Exp $
 */
 
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <malloc.h>
#include <ctype.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
#include <net/if.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <time.h>

#define ETH_P_ARP 	0x0806 
#define MAX_PACK_LEN 	2000
#define ETHER_HEADER_LEN 14
#define ARPREQUEST 	1
#define ARPREPLY 	2
#define perr(s) fprintf(stderr,s)

struct arp_struct
  {
    u_char  dst_mac[6];
    u_char  src_mac[6]; 
    u_short pkt_type;
    u_short hw_type;
    u_short pro_type;
    u_char  hw_len;
    u_char  pro_len;
    u_short arp_op;
    u_char  sender_eth[6];
    u_char  sender_ip[4];
    u_char  target_eth[6];
    u_char  target_ip[4];
  };

union
  {
    u_char full_packet[MAX_PACK_LEN];
    struct arp_struct arp_pkt;
  }
a;

#define full_packet a.full_packet
#define arp_pkt a.arp_pkt

char * 
inetaddr ( u_int32_t ip ) 
{
  struct in_addr in;
  in.s_addr = ip;
  return inet_ntoa(in);
}

char *
hwaddr (u_char * s)
{
  static char buf[30];
   sprintf (buf, "%02X:%02X:%02X:%02X:%02X:%02X", s[0], s[1],
s[2], s[3], s[4], s[5]);
  return buf;
}

void
main (int argc, char **argv)
{
  int rec;
  int len, from_len, rsflags;
  struct ifreq if_data;
  struct sockaddr from;
  u_int8_t myMAC[6];
  u_int32_t myIP, myNETMASK, myBROADCAST, ip, dip, sip;

  if (getuid () != 0)
    {
      perr ("You must be root to run this program!\n");
      exit (0);
    }
  if (argc != 2)
    {
      fprintf(stderr,"Usage: %s eth0\n", argv[0]);
      exit (0);
    }

   if ((rec = socket (AF_INET, SOCK_PACKET, htons
(ETH_P_ARP))) < 0)
    {
      perror("socket");
      exit (0);
    }

   printf
("----------------------------------------------------------\n");
  strcpy (if_data.ifr_name, argv[1]);
  if (ioctl (rec, SIOCGIFHWADDR, &if_data) < 0) {
    perr ("can't get HW addres of my interface!\n");
    exit(1);
  }
  memcpy (myMAC, if_data.ifr_hwaddr.sa_data, 6);
  printf ("> My HW Addr: %s\n", hwaddr (myMAC));

  if (ioctl (rec, SIOCGIFADDR, &if_data) < 0) {
    perr ("can't get IP addres of my interface!\n");
    exit(1);
  }
   memcpy ((void *) &ip, (void *) &if_data.ifr_addr.sa_data +
2, 4);
  myIP = ntohl (ip);
  printf ("> My IP Addr: %s\n", inetaddr(ip));

  if (ioctl (rec, SIOCGIFNETMASK, &if_data) < 0)
    perr ("can't get NETMASK addres of my interface!\n");
   memcpy ((void *) &ip, (void *)
&if_data.ifr_netmask.sa_data + 2, 4);
  myNETMASK = ntohl (ip);
  printf ("> My NETMASK: %s\n", inetaddr(ip));

  if (ioctl (rec, SIOCGIFBRDADDR, &if_data) < 0)
    perr ("can't get BROADCAST addres of my interface!\n");
   memcpy ((void *) &ip, (void *)
&if_data.ifr_broadaddr.sa_data + 2, 4);
  myBROADCAST = ntohl (ip);
  printf ("> My BROADCAST: %s\n", inetaddr(ip));

  if ((rsflags = fcntl (rec, F_GETFL)) == -1)
    {
      perror ("fcntl F_GETFL");
      exit (1);
    }

  if (fcntl (rec, F_SETFL, rsflags | O_NONBLOCK) == -1)
    {
      perror ("fcntl F_SETFL");
      exit (1);
    }

    printf
("----------------------------------------------------------\n");
  printf ("> Scanning ....\n");
   for (dip = (myIP & myNETMASK) + 1; dip < myBROADCAST;
dip++)
    {
      bzero(full_packet, MAX_PACK_LEN);

       memcpy (arp_pkt.dst_mac, "\0\6\146\3\23\67", 6); /*
00:06:66:03:13:37 :) */
      memcpy (arp_pkt.src_mac, myMAC, 6);
      arp_pkt.pkt_type = htons( ETH_P_ARP );
      arp_pkt.hw_type = htons( 0x0001 );
      arp_pkt.hw_len = 6;
      arp_pkt.pro_type = htons( 0x0800 );
      arp_pkt.pro_len = 4;
      arp_pkt.arp_op = htons (ARPREQUEST);
      memcpy (arp_pkt.sender_eth, myMAC, 6);
      ip = htonl (myIP);
      memcpy (arp_pkt.sender_ip, &ip, 4);
      memcpy (arp_pkt.target_eth, "\0\0\0\0\0\0", 6);
      ip = htonl (dip);
      memcpy (arp_pkt.target_ip, &ip, 4);

      strcpy(from.sa_data, argv[1]);
      from.sa_family = 1;
          
       if( sendto (rec, full_packet, sizeof (struct
arp_struct), 0, &from, sizeof(from)) < 0)
	  perror ("sendto");

      usleep (50);		

       len = recvfrom (rec, full_packet, MAX_PACK_LEN, 0,
&from, &from_len);
      if (len <= ETHER_HEADER_LEN)
	continue;

      memcpy (&ip, arp_pkt.target_ip, 4);
      memcpy (&sip, arp_pkt.sender_ip, 4);

      if (ntohs (arp_pkt.arp_op) == ARPREPLY
	  && ntohl (ip) == myIP
	  && ( dip - ntohl(sip) >= 0 )
	  && ( dip - ntohl(sip) <= 2 ) )
	{
 	  printf ("*> Host %s, %s **** Promiscuous mode detected
!!!\n",
		  inetaddr (sip),
		  hwaddr (arp_pkt.sender_eth));
	}

    }

  printf ("> End.\n");

  exit (0);
}

Хм, интересна програмка... И май работи;)

 Sdravei te, pri opit da compiliram polu4avam slednoto
saobstenie:
gcc -o anti anti.c
anti.c:23: parse error before character 0240
anti.c:23: warning: no semicolon at end of struct or union
anti.c:38: parse error before character 0240
 anti.c:42: warning: data definition has no type or storage
class
anti.c:42: parse error before `#'
anti.c: In function `hwaddr':
anti.c:52: parse error before character 0240
anti.c: In function `main':
anti.c:59: parse error before character 0240
anti.c:58: warning: return type of `main' is not `int'

Njakoi moze li da mikaze kakvo ne e nared???