how to find out promiscuous mode
Alan Cox
alan at lxorguk.ukuu.org.uk
Thu Feb 4 11:17:03 UTC 2010
On Thu, 04 Feb 2010 09:06:27 +0200
Gilboa Davara <gilboad at gmail.com> wrote:
> On Wed, 2010-02-03 at 23:11 +0100, Vadkan Jozsef wrote:
> > How can I find out that someone is using it's network card in
> > promiscuous mode in a subnet?
> >
> > Thank you!
> >
>
> You can't.
> ... and even if you could, someone could potentially use a passive
> splitter and yank all the packets of the subnet.
>
> Having said all that, if your network is switched (as opposed to using
> cheap FE hubs), only broadcast traffic (ARP/DHCP/etc) will be visible in
> promisc mode.
Which won't save you against a smart attacker unless you are keeping
an eye on the traffic on the network.
If I want to listed to IP traffic between A and B I can spoof ARP
frames in both directions, the switch will ensure neither box sees the
unicast arps being used to poison the other and I can then forward the
frames with the mac headers faked.
Alan
More information about the users
mailing list