From owner-freebsd-net Tue May 23 18:19:14 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id A759537BAC5 for ; Tue, 23 May 2000 18:19:03 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id DAA06656 for ; Wed, 24 May 2000 03:18:57 +0200 (MET DST) Message-Id: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 03:19:28 +0200 To: freebsd-net@FreeBSD.ORG From: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode In-Reply-To: <200005240005.RAA00688@rhapture.apple.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Also, what about detecting some folks using that from an administrative >> point of view, e.g. running some software like Antisniff? > >Check the mail archives. There are only mildly effective ways of >doing this. > >> BTW: Which mechanisms one can use to "fake" MAC entries on >(preferrable) >> Linux systems, and how to detect them? > >I'm not sure what a "fake" MAC 'entry' would be. First, 'entry' >where? Second, how "fake". Do you mean "different from the one >that's in the adapter's address ROM"? Third, this is a BSD list, not >a Linux list. If you need info specific to Linux, try a different >list. Hi! Well, I'm working on adiministering stuff on our local dorm. (Or what would be the correct term for that? ,-) Its a chaotic peer-to-peer network, with a DHCP server and a gateway to university. We already had some sniffer attack to sniff out Pop3 passwords. As some of the folks are running Linux, I'm also concerned of that possibility, so I have to take that into account. Some simple reference wou ld be enough. I mean with fake adress that you pretend that your NIC had a differentz adress fro,m that stored in PROM. Say, your NIC had an adress of (fictional) 00:00:00:1e:3d:2a and you could make it appear to other boxes on the same network as say, 3e:2e:4b:3d:5c:00, in this case I'd like to know a) how this is done and b) how can it be detected As Linux is more common than *BSD, I also have to take that possibility into account. Some general hints on the mechanism used there would be sufficient. Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message