> > if(ether_header_destination != device_hardware_address) return; > When you place the interface in promiscuous mode (on Linux), this chunk of code is exactly what you're bypassing. It would probably be more accurate to say that the sniffer detector simply finds machines that are in promiscuous mode, and exhibit the behaviour that ARPs are returned for ETH's not it's own. You can detect if a box is in promiscuous mode easier if: Send a packet with the correct IP of the box:odd port, but the wrong ETH address. If you get an RST, the box is in promiscuous mode. If you do not, it's not. > > Seth M. McGann / smmat_private "Security is making it > --Perry -- Perry Harrington System Software Engineer zelur xuniL () http://www.webcom.com perry.harringtonat_private Think Blue. /\
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:50 PDT