From owner-freebsd-security  Tue Jul 29 12:38:31 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA08015
          for security-outgoing; Tue, 29 Jul 1997 12:38:31 -0700 (PDT)
Received: from nexus.astro.psu.edu (nexus.astro.psu.edu [128.118.147.20])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id MAA08007
          for <security@FreeBSD.ORG>; Tue, 29 Jul 1997 12:38:28 -0700 (PDT)
Received: from mstar.astro.psu.edu by nexus.astro.psu.edu (4.1/Nexus-1.3)
	id AA14852; Tue, 29 Jul 97 15:38:23 EDT
Received: by mstar.astro.psu.edu (SMI-8.6/Client-1.3)
	id PAA03520; Tue, 29 Jul 1997 15:38:15 -0400
Message-Id: <19970729153815.19286@astro.psu.edu>
Date: Tue, 29 Jul 1997 15:38:15 -0400
From: Matthew Hunt <mph@astro.psu.edu>
To: Poul-Henning Kamp <phk@dk.tfs.com>
Cc: security@FreeBSD.ORG
Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD)
Reply-To: Matthew Hunt <mph@pobox.com>
References: <Pine.BSF.3.95q.970729125111.22895A-100000@chaos.amber.org> <284.870203173@critter.dk.tfs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.76
In-Reply-To: <284.870203173@critter.dk.tfs.com>; from Poul-Henning Kamp on Tue, Jul 29, 1997 at 09:06:13PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, Jul 29, 1997 at 09:06:13PM +0200, Poul-Henning Kamp wrote:

> Except that most of them are easy to spoof:  Set up your sniffer to 
> output 10 packets with different "from" MAC and it figures "hey port
> #4 is upstream, send it everything..."

I think some can be configured with hardcoded associations between the
MAC and port, rather than learning them on their own.  Such beasts are
used for the residence hall networks at Penn State.