Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: promiscuous mode on ethernet card-question.
From: Ted Lemon <mellon @ ipd . wellsfargo . com>
Date: Wed, 16 Nov 1994 11:07:03 -0800
To: wbuttles @ gopher . champlain . edu
Cc: Firewalls @ greatcircle . com
In-reply-to: Your message of "Wed, 16 Nov 1994 11:23:35 CST." <199411161123408099 . wbuttles @ gopher . champlain . edu>

> Can a PC running a sniffer that sets the ethernet card to
> promiscous mode be detected by same?

No.   A promiscuous PC looks exactly like a chaste one.   :'/

> Or other methods?

You could plant false data on the wire and trap the user when s/he
uses it.

Hm.  There is one sneaky thing you could do that might work.  If the
PC is running a sniffer and also a TCP stack, and will respond to an
ICMP Echo Request, then you might be able to find it.  For each
possible address on the subnet you're scanning, cons up an ICMP Echo
Request packet with the source and destination Ethernet addresses set
to your machine's Ethernet address.   Set the Source IP address to
your machine's IP address, and the Destination IP address to the
address you're testing.

A machine that's not in promiscuous mode will never see the Echo
Request packet, because its ethernet destination address is wrong.
However, a machine in promiscuous mode *will* see it, and will
probably respond to it since the IP address is correct.   So if you
get any response to your pings, you know that it's from a machine in
promiscuous mode.

The only problem with this scheme is that it'll only work on a limited
range of machines, and it's pretty easy to foil.   A machine that
isn't running an IP stack or isn't handling ICMP Echo Requests won't
respond.   A machine whose packet filter validates the Ethernet
address before passing a packet up to the IP layer won't respond.

I *think* that a machine running the Berkeley Packet Filter or Sun's
NIT *will* respond, though.   I have no idea what the likelihood of a
cobbled-together PC sniffer responding is.   You might catch a naive
student this way, though.


Ted Lemon		      Wells Fargo Bank, Information Protection Division
mellon @
 ipd .
 wellsfargo .
 com					+1 415 477 5045

Indexed By Date Previous: Re: promiscuous mode on ethernet card-question.
From: Jeff Murphy <jcmurphy @ cadman . cit . buffalo . edu>
Next: Promiscuous PCs
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread Previous: Re: promiscuous mode on ethernet card-question.
From: Bruce Warrington <bruce @ ancc . com>
Next: Re: promiscuous mode on ethernet card-question.
From: Jason Matthews <jason @ dickory . SDSU . Edu>

Search Internet Search