After further investigation it appears neped.c (the Linux sniffer detector by savageat_private ) operates due to a problem in /linux/net/ipv4/arp.c. The function arp_rcv() controls when to send ARP responses. The criteria for sending these responses is flawed, in that it will respond to ARP requests regardless of the destination MAC address. Normally only frames with a station's MAC address are processed so this is not a problem. In promiscuous mode, all frames are processed, and without checking the destination MAC address there is no way to discern if the packet was really bound for listening station. To fix this problem all that needs to be done is add the following check (pseudo code): if(ether_header_destination != device_hardware_address) return; Seth M. McGann / smmat_private "Security is making it http://www.wpi.edu/~smm to the bathroom in time." KeyID: 2048/1024/E2501C80 Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:41 PDT