FAQ
How can I find out that someone is using it's network card in
promiscuous mode in a subnet?

Thank you!

Search Discussions

  • Bill Campbell at Feb 3, 2010 at 10:28 pm

    On Wed, Feb 03, 2010, Vadkan Jozsef wrote:
    How can I find out that someone is using it's network card in
    promiscuous mode in a subnet?
    We use the swatch log watcher, to detect lines like this in
    /var/log/messages (this is from a system running VMware virtual
    machines in bridging mode so this is normal):

    Jan 28 17:35:57 pogo kernel: device eth1 entered promiscuous mode

    Bill
    --
    INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    Voice: (206) 236-1676 Mercer Island, WA 98040-0820
    Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792

    Our Foreign dealings are an Open Book, generally a Check Book.
    Will Rogers
  • Markus Falb at Feb 7, 2010 at 3:15 am

    On 03/02/2010 23:28, Bill Campbell wrote:
    On Wed, Feb 03, 2010, Vadkan Jozsef wrote:
    How can I find out that someone is using it's network card in
    promiscuous mode in a subnet?
    We use the swatch log watcher, to detect lines like this in
    /var/log/messages (this is from a system running VMware virtual
    machines in bridging mode so this is normal):
    i believe the interface flags are defined in the kernel sources in
    include/linux/if.h
    #define IFF_PROMISC 0x100 /* receive all packets */

    You can read the flags from /sys

    Promiscous mode off:
    #$ cat /sys/class/net/eth0/flags
    0x1003

    Promiscous mode on:
    #$ cat /sys/class/net/eth0/flags
    0x1103

    Anyway, both grepping the logs or looking at /sys requires local access.

    - --
    best regards,
    markus
  • Les Bell at Feb 3, 2010 at 10:45 pm

    Vadkan Jozsef wrote:
    How can I find out that someone is using it's network card in
    promiscuous mode in a subnet?
    <<

    http://sourceforge.net/projects/prodetect/

    Best,

    --- Les Bell
    [http://www.lesbell.com.au]
    Tel: +61 2 9451 1144
  • Nifty Cluster Mitch at May 3, 2010 at 6:02 am

    On Thu, Feb 04, 2010 at 09:45:26AM +1100, Les Bell wrote:
    Vadkan Jozsef wrote:
    How can I find out that someone is using it's network card in
    promiscuous mode in a subnet?
    <<

    http://sourceforge.net/projects/prodetect/
    Strictly you cannot tell if a remote card is in promiscuous mode.

    Some card drivers correctly switch to promiscuous mode when more than
    one multicast address is being listened to and there is no external
    clue that it has done so. For what it is worth the MAC of the card can
    see all the bits on the wire and above the MAC are a collection
    of hardware and software filters that gate the bits further
    up the stack.

    Switches limit the ability of a host to snoop but some
    traffic is still seen on all nodes. Once a host is seen some
    attacks become possible which is why the expensive switches
    have a market.


    --
    T o m M i t c h e l l
    Found me a new hat, now what?
  • Les Bell at Feb 3, 2010 at 10:53 pm

    "Les Bell" wrote:
    http://sourceforge.net/projects/prodetect/
    <<

    Sorry - just remembered that's a Windows program. The classic tool for
    monitoring IP/Ethernet address pairings is arpwatch, but unlike prodetect,
    it will only report an ARP cache poisoning attack, not someone silently
    sniffing (which isn't much use on switched networks anyway).

    Best,

    --- Les Bell
    [http://www.lesbell.com.au]
    Tel: +61 2 9451 1144

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedFeb 3, '10 at 10:11p
activeMay 3, '10 at 6:02a
posts6
users5
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase