On Thu, Feb 04, 2010 at 09:45:26AM +1100, Les Bell wrote: > Vadkan Jozsef <jozsi.avadkan at gmail.com> wrote: > > >> > How can I find out that someone is using it's network card in > promiscuous mode in a subnet? > << > > http://sourceforge.net/projects/prodetect/ > Strictly you cannot tell if a remote card is in promiscuous mode. Some card drivers correctly switch to promiscuous mode when more than one multicast address is being listened to and there is no external clue that it has done so. For what it is worth the MAC of the card can see all the bits on the wire and above the MAC are a collection of hardware and software filters that gate the bits further up the stack. Switches limit the ability of a host to snoop but some traffic is still seen on all nodes. Once a host is seen some attacks become possible which is why the expensive switches have a market. -- T o m M i t c h e l l Found me a new hat, now what?