Re: promiscuous eth0

To: Jaan Sarv <jaan@sarv.ee>
Cc: debian security list <debian-security@lists.debian.org>
Subject: Re: promiscuous eth0
From: Alexander Hvostov <vulture@aoi.dyndns.org>
Date: Wed, 7 Mar 2001 18:37:43 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.21.0103071836080.4687-100000@cornerstone.core.aoi>
In-reply-to: <[🔎] 007601c0a545$665448a0$47c332c3@estnet.ee>

On Mon, 5 Mar 2001, Jaan Sarv wrote:

> > Also, paranoid network administrators might be a little upset by it, since
> > Linux sends out a frame indicating it is switching into (or out
> > of) promiscuous mode. This is possible evidence that you're running a
> > sniffer of some kind (such as snort).
> 
> Hi,
> 
> How can I recognize such frames/packets? I know this isn't very effective
> method when trying to discover sniffers, but worth a shot.
> 
> Is there a way to disable those frames/packets?
> 
> Jaan
> 
> a bit paranoid :)
Unless I'm mistaken, there was an article in phrack magazine a while back
about a kernel patch that disables the sending of the "promscuous
mode" packet. For this reason, only misconfigured computers (or script
kiddies) would be sending this out; truly skilled {cr,h}ackers are
unlikely to not patch the kernel before doing any covert sniffing.

Regards,

Alex.

Reply to:

References:
- Re: promiscuous eth0
  - From: "Jaan Sarv" <jaan@sarv.ee>

Prev by Date: Re: kernel patches
Next by Date: Re: promiscuous eth0
Previous by thread: Re: promiscuous eth0
Next by thread: Re: promiscuous eth0
Index(es):
- Date
- Thread