Using arp to detect promiscuous nics can be circumvented by disabling arp.
PW
ronnie sahlberg wrote:
Obviously: if someone ARPs for a.b.c.d on a unicast garbage MAC
address and gets a reply, that is proof that host a.b.c.d has at
least one NIC in promisc mode.
The source MAC address in the reply gives the MAC address of the NIC
which is in promisc mode. (which i hope you have already changed
anyway)
On Sat, 28 Aug 2004 06:10:18 +1000, ronnie sahlberg
<ronniesahlberg@xxxxxxxxx> wrote:
Linux for example has weak bounding between a NIC and the IP address
that are assigned in the IP layer.
Say you have two NICs connected to the same network, eth0 and eht1
eth0 has an IP address a.b.c.d but eth1 does not have any ip address assigned.
Due to the fact that that stack treats all IP addresses as global to
the machine and not really bound to a particular interface (ifconfig
lies to you here and makes you belive the ip address is bound to a
nic)
someone can :
broadcast ARP for a.b.c.d and will get TWO replies, one reply from
each of the NICs.
someone can ARP for a.b.c.d on a garbage nonexistant NIC and you he/she will
get a reply from your NIC that is in promisc mode, even though that
particular NIC did not have ip address a.b.c.d as long as a.b.c.d is
the ip address of some other interface on your linux box.
many many other techniques exist as well.
(the weak bonding between NIC and ip address cause lots of problems
with multihomed boxens sitting behing broken loadbalancers and they
have then to set up software arp/mac filtering in the network stack to
prevent these replies)
On Fri, 27 Aug 2004 14:51:55 -0500, Stef <stefmit@xxxxxxxxx> wrote:
I have my ethereal running on a non-IP-bound NIC, on my Linux box. Can
you please explain your statement to me?
Thx,
Stef
On Sat, 28 Aug 2004 05:40:17 +1000, ronnie sahlberg
<ronniesahlberg@xxxxxxxxx> wrote:
<snip>
One of many many ways to spot such a NIC is trying to ping your host but sending
the ping to a dummy/fake MAC address.
If your NIC is in promisc mode it will be passed through the NIC and
your network stack will respond to the ping.
<snip>
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users