From owner-freebsd-security  Mon Jul 28 18:20:24 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id SAA20967
          for security-outgoing; Mon, 28 Jul 1997 18:20:24 -0700 (PDT)
Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA20958;
          Mon, 28 Jul 1997 18:20:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id VAA27284; Mon, 28 Jul 1997 21:20:06 -0400 (EDT)
Date: Mon, 28 Jul 1997 21:20:05 -0400 (EDT)
From: Brian Buchanan <brian@thought.res.cmu.edu>
To: Gary Palmer <gpalmer@FreeBSD.ORG>
cc: security@FreeBSD.ORG
Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) 
In-Reply-To: <8208.870136587@orion.webspan.net>
Message-ID: <Pine.BSF.3.96.970728211902.26892H-100000@thought.res.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Gary Palmer wrote:

> Brian Buchanan wrote in message ID
> <Pine.BSF.3.96.970728190019.26892A-100000@thought.res.cmu.edu>:
> > I was wondering the same thing when I read a clause prohibiting the use of
> > network cards in promiscuous mode in the CMU network use policy.  I asked
> > some computer security people I knew about this and their response was
> > that it is not possible to detect if a network card is in promiscious mode
> > unless you have access to the machine it's in - i.e., that you can look at
> > ifconfig on that machine.
> 
> That only works if ifconfig has not been altered to hide the flag.

That wasn't my point.  My point was that it's not possible to detect it
without access to the local box.  If you had root access you could always
query the card itself to see if it was set promiscious.