From owner-freebsd-security  Mon Jul 28 18:59:58 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id SAA23739
          for security-outgoing; Mon, 28 Jul 1997 18:59:58 -0700 (PDT)
Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA23727
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 18:59:54 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id VAA04917;
	Mon, 28 Jul 1997 21:59:40 -0400 (EDT)
Date: Mon, 28 Jul 1997 21:59:39 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert@cyrus.watson.org>
To: Brian Buchanan <brian@thought.res.cmu.edu>
cc: "Nicole H." <nicole@mediacity.com>, security@FreeBSD.ORG
Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD)
In-Reply-To: <Pine.BSF.3.96.970728190019.26892A-100000@thought.res.cmu.edu>
Message-ID: <Pine.BSF.3.95q.970728215803.4839A-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Brian Buchanan wrote:

> On Mon, 28 Jul 1997, Nicole H. wrote:
> 
> > Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a 
> > machine running in promiscuous mode?
> > 
> 
> I was wondering the same thing when I read a clause prohibiting the use of
> network cards in promiscuous mode in the CMU network use policy.  I asked
> some computer security people I knew about this and their response was
> that it is not possible to detect if a network card is in promiscious mode
> unless you have access to the machine it's in - i.e., that you can look at
> ifconfig on that machine.

As far as I know, there is no way to tell.  The card has a filter on it
that normal just doesn't provide the packets that aren't intended for the
host.  Promiscuous mode simply disables the filter.  The only way to
prevent the packets from being sniffable is to prevent them from going on
the wire in question -- smart hubs (switches) do this, so are desirable.
They also increase available bandwidth, as only the required traffic goes
on a segment.  They're also more expensive, although prices are really
dropping.


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/