> You can detect if a box is in promiscuous mode easier if:
>
> Send a packet with the correct IP of the box:odd port, but the wrong ETH
> address. If you get an RST, the box is in promiscuous mode. If
> you do not, it's not.
Once I was dialed up(1) to a terminal server(2) that was on one
logical network and which shared a physical network with a machine(3)
on another logical network, and the interface of the router to the
internet was aliased to both logical networks in such a way that when
(3) was in promiscuous mode and I pinged it from the dial up machine(1),
I would get two for one ping responses.
On analysing it I found that the pings were going through the terminal
server on its logical network.. to the router.. then from the router to
the machine on the other network. When in promiscuous mode (3) would
pick up on the IP address from the packet going to the router as well
as from the packet coming from the router to it(3).
It was hard to figure out at first cause I was using tcpdump to try and
figure it out :)
A reboot and it was single pinging again. Then I caught on.
Peter
--
pjordan at blackwire.com 436-0829 Black Wire Media
"The meaning of a value is determined by how it is used" : Ousterhout
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:59 PDT