[CentOS] how to find out promiscuous mode

Mon May 3 06:02:20 UTC 2010
Nifty Cluster Mitch <niftycluster at niftyegg.com>

On Thu, Feb 04, 2010 at 09:45:26AM +1100, Les Bell wrote:
> Vadkan Jozsef <jozsi.avadkan at gmail.com> wrote:
> 
> >>
> How can I find out that someone is using it's network card in
> promiscuous mode in a subnet?
> <<
> 
> http://sourceforge.net/projects/prodetect/
> 

Strictly you cannot tell if a remote card is in promiscuous mode.

Some card drivers correctly switch to promiscuous mode when more than
one multicast address is being listened to and there is no external
clue that it has done so.  For what it is worth the MAC of the card can
see all the bits on the wire and above the MAC are a collection
of hardware and software filters that gate the bits further
up the stack.

Switches limit the ability of a host to snoop but some
traffic is still seen on all nodes.  Once a host is seen some
attacks become possible which is why the expensive switches
have a market.


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?