Date: Mon, 16 Aug 2004 10:18:04 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Ruben de Groot <mail25@bzerk.org>, Kevin Stevens <freebsd@pursued-with.net>, Bill Moran <wmoran@potentialtech.com>, Remko Lodder <remko@elvandar.org>, freebsd-questions@freebsd.org Subject: Re: Is promiscuous mode bad? Message-ID: <20040816151804.GI73391@dan.emsphone.com> In-Reply-To: <20040816122400.GA81160@ei.bzerk.org> References: <200408151429.05110.aaron@daltons.ca> <20040815170806.45fcb779.wmoran@potentialtech.com> <200408151603.26022.aaron@daltons.ca> <411FE2E9.1090704@elvandar.org> <20040815183205.66b753cd.wmoran@potentialtech.com> <688492D4-EF2F-11D8-9CD1-000A959CEE6A@pursued-with.net> <20040816122400.GA81160@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 16), Ruben de Groot said: > On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed: > > A lot of network scanners also trigger on NICS in promiscuous mode > > (there's a way to detect them, I forget the details at the moment) > > because admins want to know if any hosts are out there sniffing. > > How sure are you about that? AFAIK there's no way to detect a NIC in > promiscuous mode *from the outside*. I would be very interested in a > network scanner that could. The basic points are that since the kernel sees packets it usually doesn't, there may be codepaths that incorrectly process certain packets and send replies. There's also a small delay in processing all those extra packets that might be seen as extra latency in pings etc. As CPUs get faster and kernel bugs get fixed, these become harder and harder to detect. Do a web or usenet search for "detect promiscuous mode" for lots and lots of links. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040816151804.GI73391>