Re: Incorrect Linux ARP behavior

From: pedwardat_private
Date: Fri Sep 18 1998 - 19:01:20 PDT

Next message: Darren Reed: "stopping "nack" `stealth' scanning."

Previous message: Brandon Reynolds: "Re: Incorrect Linux ARP behavior"
Maybe in reply to: Seth McGann: "Incorrect Linux ARP behavior"
Next in thread: bobk: "Re: Incorrect Linux ARP behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> if(ether_header_destination != device_hardware_address) return;
>

When you place the interface in promiscuous mode (on Linux), this chunk
of code is exactly what you're bypassing.

It would probably be more accurate to say that the sniffer detector
simply finds machines that are in promiscuous mode, and exhibit the
behaviour that ARPs are returned for ETH's not it's own.

You can detect if a box is in promiscuous mode easier if:

Send a packet with the correct IP of the box:odd port, but the wrong ETH
address.  If you get an RST, the box is in promiscuous mode.  If
you do not, it's not.

>
> Seth M. McGann / smmat_private        "Security is making it
>

--Perry

--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harringtonat_private  Think Blue.  /\

Next message: Darren Reed: "stopping "nack" `stealth' scanning."
Previous message: Brandon Reynolds: "Re: Incorrect Linux ARP behavior"
Maybe in reply to: Seth McGann: "Incorrect Linux ARP behavior"
Next in thread: bobk: "Re: Incorrect Linux ARP behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:50 PDT