From owner-freebsd-net  Mon Feb 15 13:14:59 1999
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA06965
          for freebsd-net-outgoing; Mon, 15 Feb 1999 13:14:59 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA06960
          for <freebsd-net@freebsd.org>; Mon, 15 Feb 1999 13:14:58 -0800 (PST)
          (envelope-from fenner@parc.xerox.com)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <53116(4)>; Mon, 15 Feb 1999 13:14:57 PST
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177534>; Mon, 15 Feb 1999 13:14:49 -0800
To: Barney Wolff <barney@databus.com>
cc: freebsd-net@FreeBSD.ORG
Subject: Re: Router stats & NIC in prom. mode... 
In-reply-to: Your message of "Mon, 15 Feb 99 11:31:00 PST."
             <36c877540.71db@databus.databus.com> 
Date: Mon, 15 Feb 1999 13:14:44 PST
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <99Feb15.131449pst.177534@crevenia.parc.xerox.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <36c877540.71db@databus.databus.com> you write:
>Send a packet to the IP of the suspect machine, with a "wrong" MAC.
>If it answers, it's snooping.  Not surefire, of course, but probably
>works unless the bad guy has altered the net code.

Er, only works if the bad guy has altered the net code, ignoring buggy
drivers.  (Non-buggy drivers drop packets that are not destined for
this host after handing them to bpf if IFF_PROMISC.)

  Bill

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message