Ethereal-users: Re: [Ethereal-users] What does it mean to "Capture" packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Sat, 28 Aug 2004 06:12:00 +1000
Obviously:    if someone ARPs for a.b.c.d on a unicast garbage MAC
address and gets a reply,  that is proof that host a.b.c.d has at
least one NIC in promisc mode.

The source MAC address in the reply gives the MAC address of the NIC
which is in promisc mode. (which i hope you have already changed
anyway)



On Sat, 28 Aug 2004 06:10:18 +1000, ronnie sahlberg
<ronniesahlberg@xxxxxxxxx> wrote:
> Linux for example has weak bounding between a NIC and the IP address
> that are assigned in the IP layer.
> 
> Say you have two NICs connected to the same network, eth0 and eht1
> eth0 has an IP address a.b.c.d  but eth1 does not have any ip address assigned.
> 
> Due to the fact that that stack treats all IP addresses as global to
> the machine and not really bound to a particular interface (ifconfig
> lies to you here and makes you belive the ip address is bound to a
> nic)
> 
> someone can :
> broadcast ARP for a.b.c.d and will get TWO replies, one reply from
> each of the NICs.
> 
> someone can ARP for a.b.c.d on a garbage nonexistant NIC and you he/she will
> get a reply from your NIC that is in promisc mode, even though that
> particular NIC did not have ip address a.b.c.d   as long as a.b.c.d is
> the ip address of some other interface on your linux box.
> 
> many many other techniques exist as well.
> 
> (the weak bonding between NIC and ip address cause lots of problems
> with multihomed boxens sitting behing broken loadbalancers and they
> have then to set up software arp/mac filtering in the network stack to
> prevent these replies)
> 
> 
> 
> 
> On Fri, 27 Aug 2004 14:51:55 -0500, Stef <stefmit@xxxxxxxxx> wrote:
> > I have my ethereal running on a non-IP-bound NIC, on my Linux box. Can
> > you please explain your statement to me?
> >
> > Thx,
> > Stef
> >
> > On Sat, 28 Aug 2004 05:40:17 +1000, ronnie sahlberg
> > <ronniesahlberg@xxxxxxxxx> wrote:
> > <snip>
> > > One of many many ways to spot such a NIC is trying to ping your host but sending
> > > the ping to a dummy/fake MAC address.
> > > If your NIC is in promisc mode  it will be passed through the NIC and
> > > your network stack will respond to the ping.
> > <snip>
> >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
>