[7979] in bugtraq
Re: Incorrect Linux ARP behavior
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Fri Sep 18 23:54:17 1998
Date: Fri, 18 Sep 1998 19:01:20 -0700
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: smm@wpi.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809190014.UAA29225@acestes-fe0.ultra.net> from "Seth McGann"
at Sep 18, 98 08:14:28 pm
>
> if(ether_header_destination != device_hardware_address) return;
>
When you place the interface in promiscuous mode (on Linux), this chunk
of code is exactly what you're bypassing.
It would probably be more accurate to say that the sniffer detector
simply finds machines that are in promiscuous mode, and exhibit the
behaviour that ARPs are returned for ETH's not it's own.
You can detect if a box is in promiscuous mode easier if:
Send a packet with the correct IP of the box:odd port, but the wrong ETH
address. If you get an RST, the box is in promiscuous mode. If
you do not, it's not.
>
> Seth M. McGann / smm@wpi.edu "Security is making it
>
--Perry
--
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington@webcom.com Think Blue. /\
