Re: Packet sniffing & regular users

To: debian-security@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: Packet sniffing & regular users
From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
Date: Fri, 04 Mar 2005 08:57:53 +1100
Message-id: <[🔎] 42278861.9020008@strategicdata.com.au>
In-reply-to: <[🔎] 1109882599.10921.4371.camel@duncan>
References: <[🔎] Pine.LNX.3.96.1050303005355.11220B-100000@Maggie.Linux-Consulting.com> <[🔎] 4226FAEB.6020507@eth0.is-a-geek.org> <[🔎] 1109882599.10921.4371.camel@duncan>

Duncan Simpson wrote:


BTW I think you might be able to detect promiscous mode with a raw
socket (at least on non-switched ethernet). If I send a ping packet to
192.168.1.42 using the wrong ethernet address then a response implies
promiscous mode because otherwise the interface would have dropped the
packet.

I have not investigated but think the kernel but think it would reliably
respond and 99.99% of attackers would not realised they had been
exposed.

Assuming that the promiscuous machine has arp spoofed that mac address,so that the switch will pass the packet down that port.



--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000

Reply to:

Follow-Ups:
- Re: Packet sniffing & regular users
  - From: Brian Kim <bmhkim@gmail.com>

References:
- Re: Packet sniffing & regular users
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>
- Re: Packet sniffing & regular users
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: Packet sniffing & regular users
  - From: Duncan Simpson <duncan@commercialuk.com>

Prev by Date: Re: Packet sniffing & regular users
Next by Date: Re: Packet sniffing & regular users
Previous by thread: Re: Packet sniffing & regular users
Next by thread: Re: Packet sniffing & regular users
Index(es):
- Date
- Thread