From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 16 15:18:24 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 415FA16A4CF
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 15:18:24 +0000 (GMT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E11CD43D45
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 15:18:23 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.11/8.12.11) id i7GFI4F7076528;
	Mon, 16 Aug 2004 10:18:04 -0500 (CDT)
	(envelope-from dan)
Date: Mon, 16 Aug 2004 10:18:04 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Ruben de Groot <mail25@bzerk.org>,
	Kevin Stevens <freebsd@pursued-with.net>,
	Bill Moran <wmoran@potentialtech.com>,
	Remko Lodder <remko@elvandar.org>, freebsd-questions@freebsd.org
Message-ID: <20040816151804.GI73391@dan.emsphone.com>
References: <200408151429.05110.aaron@daltons.ca>
	<20040815170806.45fcb779.wmoran@potentialtech.com>
	<200408151603.26022.aaron@daltons.ca> <411FE2E9.1090704@elvandar.org>
	<20040815183205.66b753cd.wmoran@potentialtech.com>
	<688492D4-EF2F-11D8-9CD1-000A959CEE6A@pursued-with.net>
	<20040816122400.GA81160@ei.bzerk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040816122400.GA81160@ei.bzerk.org>
X-OS: FreeBSD 5.2-CURRENT
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.6i
Subject: Re: Is promiscuous mode bad?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2004 15:18:24 -0000

In the last episode (Aug 16), Ruben de Groot said:
> On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed:
> > A lot of network scanners also trigger on NICS in promiscuous mode
> > (there's a way to detect them, I forget the details at the moment)
> > because admins want to know if any hosts are out there sniffing.
> 
> How sure are you about that? AFAIK there's no way to detect a NIC in
> promiscuous mode *from the outside*. I would be very interested in a
> network scanner that could.

The basic points are that since the kernel sees packets it usually
doesn't, there may be codepaths that incorrectly process certain
packets and send replies.  There's also a small delay in processing all
those extra packets that might be seen as extra latency in pings etc.
As CPUs get faster and kernel bugs get fixed, these become harder and
harder to detect.

Do a web or usenet search for "detect promiscuous mode" for lots and
lots of links.

-- 
	Dan Nelson
	dnelson@allantgroup.com