How can I find out that someone is using it's network card in promiscuous mode in a subnet?
Thank you!
On Wed, Feb 03, 2010, Vadkan Jozsef wrote:
How can I find out that someone is using it's network card in promiscuous mode in a subnet?
We use the swatch log watcher, to detect lines like this in /var/log/messages (this is from a system running VMware virtual machines in bridging mode so this is normal):
Jan 28 17:35:57 pogo kernel: device eth1 entered promiscuous mode
Bill
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/02/2010 23:28, Bill Campbell wrote:
On Wed, Feb 03, 2010, Vadkan Jozsef wrote:
How can I find out that someone is using it's network card in promiscuous mode in a subnet?
We use the swatch log watcher, to detect lines like this in /var/log/messages (this is from a system running VMware virtual machines in bridging mode so this is normal):
i believe the interface flags are defined in the kernel sources in include/linux/if.h #define IFF_PROMISC 0x100 /* receive all packets */
You can read the flags from /sys
Promiscous mode off: #$ cat /sys/class/net/eth0/flags 0x1003
Promiscous mode on: #$ cat /sys/class/net/eth0/flags 0x1103
Anyway, both grepping the logs or looking at /sys requires local access.
- -- best regards, markus
-
Bill Campbell -
Markus Falb -
Vadkan Jozsef