On Mon, 5 Mar 2001, Jaan Sarv wrote:
> > Also, paranoid network administrators might be a little upset by it,
since
> > Linux sends out a frame indicating it is switching into (or out
> > of) promiscuous mode. This is possible evidence that you're running a
> > sniffer of some kind (such as snort).
>
> Hi,
>
> How can I recognize such frames/packets? I know this isn't very effective
> method when trying to discover sniffers, but worth a shot.
>
> Is there a way to disable those frames/packets?
>
> Jaan
>
> a bit paranoid :)
Unless I'm mistaken, there was an article in phrack magazine a while back
about a kernel patch that disables the sending of the "promscuous
mode" packet. For this reason, only misconfigured computers (or script
kiddies) would be sending this out; truly skilled {cr,h}ackers are
unlikely to not patch the kernel before doing any covert sniffing.
Regards,
Alex.
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org