Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Jul 1997 21:59:39 -0400 (EDT)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Brian Buchanan <brian@thought.res.cmu.edu>
Cc:        "Nicole H." <nicole@mediacity.com>, security@FreeBSD.ORG
Subject:   Re: Detecting sniffers (was: Re: security hole in FreeBSD)
Message-ID:  <Pine.BSF.3.95q.970728215803.4839A-100000@cyrus.watson.org>
In-Reply-To: <Pine.BSF.3.96.970728190019.26892A-100000@thought.res.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 28 Jul 1997, Brian Buchanan wrote:

> On Mon, 28 Jul 1997, Nicole H. wrote:
> 
> > Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a 
> > machine running in promiscuous mode?
> > 
> 
> I was wondering the same thing when I read a clause prohibiting the use of
> network cards in promiscuous mode in the CMU network use policy.  I asked
> some computer security people I knew about this and their response was
> that it is not possible to detect if a network card is in promiscious mode
> unless you have access to the machine it's in - i.e., that you can look at
> ifconfig on that machine.

As far as I know, there is no way to tell.  The card has a filter on it
that normal just doesn't provide the packets that aren't intended for the
host.  Promiscuous mode simply disables the filter.  The only way to
prevent the packets from being sniffable is to prevent them from going on
the wire in question -- smart hubs (switches) do this, so are desirable.
They also increase available bandwidth, as only the required traffic goes
on a segment.  They're also more expensive, although prices are really
dropping.


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728215803.4839A-100000>