[7989] in bugtraq
Re: Incorrect Linux ARP behavior
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Sep 19 20:18:27 1998
Date: Sat, 19 Sep 1998 08:40:45 -0400
Reply-To: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: pedward@webcom.com
To: BUGTRAQ@NETSPACE.ORG
In message <199809190201.TAA15205@eris.webcom.com>, pedward@WEBCOM.COM writes:
>>
>> if(ether_header_destination != device_hardware_address) return;
>>
>
>When you place the interface in promiscuous mode (on Linux), this chunk
>of code is exactly what you're bypassing.
>
>It would probably be more accurate to say that the sniffer detector
>simply finds machines that are in promiscuous mode, and exhibit the
>behaviour that ARPs are returned for ETH's not it's own.
>
>You can detect if a box is in promiscuous mode easier if:
>
>Send a packet with the correct IP of the box:odd port, but the wrong ETH
>address. If you get an RST, the box is in promiscuous mode. If
>you do not, it's not.
That depends on the stack. Many platforms already check the Ethernet
address before accepting IP packets. (I can't speak for Linux, but
I did check several others a few years ago.)
