Is promiscuous mode bad?
Dan Nelson
dnelson at allantgroup.com
Mon Aug 16 08:18:24 PDT 2004
In the last episode (Aug 16), Ruben de Groot said:
> On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed:
> > A lot of network scanners also trigger on NICS in promiscuous mode
> > (there's a way to detect them, I forget the details at the moment)
> > because admins want to know if any hosts are out there sniffing.
>
> How sure are you about that? AFAIK there's no way to detect a NIC in
> promiscuous mode *from the outside*. I would be very interested in a
> network scanner that could.
The basic points are that since the kernel sees packets it usually
doesn't, there may be codepaths that incorrectly process certain
packets and send replies. There's also a small delay in processing all
those extra packets that might be seen as extra latency in pings etc.
As CPUs get faster and kernel bugs get fixed, these become harder and
harder to detect.
Do a web or usenet search for "detect promiscuous mode" for lots and
lots of links.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list