> Can a PC running a sniffer that sets the ethernet card to
> promiscous mode be detected by same?
No. A promiscuous PC looks exactly like a chaste one. :'/
> Or other methods?
You could plant false data on the wire and trap the user when s/he
Hm. There is one sneaky thing you could do that might work. If the
PC is running a sniffer and also a TCP stack, and will respond to an
ICMP Echo Request, then you might be able to find it. For each
possible address on the subnet you're scanning, cons up an ICMP Echo
Request packet with the source and destination Ethernet addresses set
to your machine's Ethernet address. Set the Source IP address to
your machine's IP address, and the Destination IP address to the
address you're testing.
A machine that's not in promiscuous mode will never see the Echo
Request packet, because its ethernet destination address is wrong.
However, a machine in promiscuous mode *will* see it, and will
probably respond to it since the IP address is correct. So if you
get any response to your pings, you know that it's from a machine in
The only problem with this scheme is that it'll only work on a limited
range of machines, and it's pretty easy to foil. A machine that
isn't running an IP stack or isn't handling ICMP Echo Requests won't
respond. A machine whose packet filter validates the Ethernet
address before passing a packet up to the IP layer won't respond.
I *think* that a machine running the Berkeley Packet Filter or Sun's
NIT *will* respond, though. I have no idea what the likelihood of a
cobbled-together PC sniffer responding is. You might catch a naive
student this way, though.
Ted Lemon Wells Fargo Bank, Information Protection Division
com +1 415 477 5045