-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/02/2010 23:28, Bill Campbell wrote: > On Wed, Feb 03, 2010, Vadkan Jozsef wrote: >> How can I find out that someone is using it's network card in >> promiscuous mode in a subnet? > > We use the swatch log watcher, to detect lines like this in > /var/log/messages (this is from a system running VMware virtual > machines in bridging mode so this is normal): i believe the interface flags are defined in the kernel sources in include/linux/if.h #define IFF_PROMISC 0x100 /* receive all packets */ You can read the flags from /sys Promiscous mode off: #$ cat /sys/class/net/eth0/flags 0x1003 Promiscous mode on: #$ cat /sys/class/net/eth0/flags 0x1103 Anyway, both grepping the logs or looking at /sys requires local access. - -- best regards, markus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktuMD4ACgkQYoWFBIJE9eX3aQCgs56Gd8PJfNgIsgJNy/YPh/VE Y2sAn0azT/GEXPg8bzIABirICo19W3km =fCT8 -----END PGP SIGNATURE-----