From owner-freebsd-security  Mon Jul 28 16:07:35 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id QAA10457
          for security-outgoing; Mon, 28 Jul 1997 16:07:35 -0700 (PDT)
Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10449
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 16:07:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id TAA26904; Mon, 28 Jul 1997 19:06:47 -0400 (EDT)
Date: Mon, 28 Jul 1997 19:06:47 -0400 (EDT)
From: Brian Buchanan <brian@thought.res.cmu.edu>
To: "Nicole H." <nicole@mediacity.com>
cc: security@FreeBSD.ORG
Subject: Detecting sniffers (was: Re: security hole in FreeBSD)
In-Reply-To: <Chameleon.870081818.nmh@geekgirl>
Message-ID: <Pine.BSF.3.96.970728190019.26892A-100000@thought.res.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Nicole H. wrote:

> Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a 
> machine running in promiscuous mode?
> 

I was wondering the same thing when I read a clause prohibiting the use of
network cards in promiscuous mode in the CMU network use policy.  I asked
some computer security people I knew about this and their response was
that it is not possible to detect if a network card is in promiscious mode
unless you have access to the machine it's in - i.e., that you can look at
ifconfig on that machine.