In message <199809190201.TAA15205at_private>, pedwardat_private writes: >> >> if(ether_header_destination != device_hardware_address) return; >> > >When you place the interface in promiscuous mode (on Linux), this chunk >of code is exactly what you're bypassing. > >It would probably be more accurate to say that the sniffer detector >simply finds machines that are in promiscuous mode, and exhibit the >behaviour that ARPs are returned for ETH's not it's own. > >You can detect if a box is in promiscuous mode easier if: > >Send a packet with the correct IP of the box:odd port, but the wrong ETH >address. If you get an RST, the box is in promiscuous mode. If >you do not, it's not. That depends on the stack. Many platforms already check the Ethernet address before accepting IP packets. (I can't speak for Linux, but I did check several others a few years ago.)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:00 PDT