[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: promiscuous eth0
This is really goofy. But I've been able to (at least in my case) narrow the "problem" down to using Xircom cards. The 3Com card that I use in my other Debian laptop works great (switching between the two demonstrates this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus as well).
If I switch the Xircom to promiscuous mode, ping the gateway, and then switch back, everything is great. Until I switch it into promiscuous, though, no traffic occurs. The really weird thing is that I *do* get enough traffic through to allow DHCP configuration on startup. Using a static IP address works (although I'm hijacking an address in the DHCP field.. can't wait 'till the guy in charge finds out...) 

At 06:37 PM 3/7/2001 -0800, you wrote:

On Mon, 5 Mar 2001, Jaan Sarv wrote:
> > Also, paranoid network administrators might be a little upset by it, since 
> > Linux sends out a frame indicating it is switching into (or out
> > of) promiscuous mode. This is possible evidence that you're running a
> > sniffer of some kind (such as snort).
>
> Hi,
>
> How can I recognize such frames/packets? I know this isn't very effective
> method when trying to discover sniffers, but worth a shot.
>
> Is there a way to disable those frames/packets?
>
> Jaan
>
> a bit paranoid :)
Unless I'm mistaken, there was an article in phrack magazine a while back
about a kernel patch that disables the sending of the "promscuous
mode" packet. For this reason, only misconfigured computers (or script
kiddies) would be sending this out; truly skilled {cr,h}ackers are
unlikely to not patch the kernel before doing any covert sniffing.

Regards,

Alex.


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
eric.valor@lutris.com

- This Space Intentionally Left Blank -
Reply to: