From owner-freebsd-security  Tue Jul 29 12:08:04 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA06406
          for security-outgoing; Tue, 29 Jul 1997 12:08:04 -0700 (PDT)
Received: from critter.dk.tfs.com (critter.phk.freebsd.dk [195.8.133.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA06364
          for <security@FreeBSD.ORG>; Tue, 29 Jul 1997 12:07:55 -0700 (PDT)
Received: from critter.dk.tfs.com (localhost [127.0.0.1])
	by critter.dk.tfs.com (8.8.6/8.8.5) with ESMTP id VAA00286;
	Tue, 29 Jul 1997 21:06:13 +0200 (CEST)
To: Christopher Petrilli <petrilli@amber.org>
cc: Warner Losh <imp@village.org>, Robert Watson <robert@cyrus.watson.org>,
        security@FreeBSD.ORG
From: Poul-Henning Kamp <phk@dk.tfs.com>
Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) 
In-reply-to: Your message of "Tue, 29 Jul 1997 12:52:38 EDT."
             <Pine.BSF.3.95q.970729125111.22895A-100000@chaos.amber.org> 
Date: Tue, 29 Jul 1997 21:06:13 +0200
Message-ID: <284.870203173@critter.dk.tfs.com>
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

In message <Pine.BSF.3.95q.970729125111.22895A-100000@chaos.amber.org>, Christo
pher Petrilli writes:
>On Tue, 29 Jul 1997, Warner Losh wrote:
>
>> In message <Pine.BSF.3.95q.970728215803.4839A-100000@cyrus.watson.org> Rober
>t Watson writes:
>> : host.  Promiscuous mode simply disables the filter.  The only way to
>> : prevent the packets from being sniffable is to prevent them from going on
>> : the wire in question -- smart hubs (switches) do this, so are desirable.
>> 
>> Well, there is strong encryption.  While it doesn't prevent sniff of
>> the packets, per se, it generally leaves you with garbage and produces
>> the same net effect.
>
>I will note that there are a few people (ODS and Bay Networks included)
>who make what is called "secure Ethernet", which basically learns what MAC
>address is on each port, and scrambles frames that are not destined for
>that MAC.  What usually happens is it replkaces the data paylode with
>alternating 0/1, and fixes the checksum.  It works just fine :-)  It's
>also generally cheaper than a switch.

Except that most of them are easy to spoof:  Set up your sniffer to 
output 10 packets with different "from" MAC and it figures "hey port
#4 is upstream, send it everything..."

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@tfs.com           TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.