Re: Incorrect Linux ARP behavior

From: Steven M. Bellovin (smbat_private)
Date: Sat Sep 19 1998 - 05:40:45 PDT

Next message: Harhalakis Stefanos: "Re: FreeBSD VM gremlin"

Previous message: PJ: "Re: Incorrect Linux ARP behavior (double pings)"
Maybe in reply to: Seth McGann: "Incorrect Linux ARP behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <199809190201.TAA15205at_private>, pedwardat_private writes:
>>
>> if(ether_header_destination != device_hardware_address) return;
>>
>
>When you place the interface in promiscuous mode (on Linux), this chunk
>of code is exactly what you're bypassing.
>
>It would probably be more accurate to say that the sniffer detector
>simply finds machines that are in promiscuous mode, and exhibit the
>behaviour that ARPs are returned for ETH's not it's own.
>
>You can detect if a box is in promiscuous mode easier if:
>
>Send a packet with the correct IP of the box:odd port, but the wrong ETH
>address.  If you get an RST, the box is in promiscuous mode.  If
>you do not, it's not.

That depends on the stack.  Many platforms already check the Ethernet
address before accepting IP packets.  (I can't speak for Linux, but
I did check several others a few years ago.)

Next message: Harhalakis Stefanos: "Re: FreeBSD VM gremlin"
Previous message: PJ: "Re: Incorrect Linux ARP behavior (double pings)"
Maybe in reply to: Seth McGann: "Incorrect Linux ARP behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:00 PDT