> Hi folks,
> I found a very easy way to detect a sniffing computer from remote.
> It's really simple:
> How does an ethernetcard normally work? It takes a look at every
> (ethernet-)frame on the wire and looks for his ethernet-id or the
> broadcast-id. If found, it takes the frame and hands it to the
> next upper layer, f.e. the unix kernel.
> If you craft a packet for a special host, with a *wrong* ethernet
> address, it won't reply - unless it's in promiscious mode!
Looks fine, but it hardly depend on OS/network interface card.
RS/6000 box with NTX and AIX 4.1.4 doesn't send ARP replies at all
when NTX is in promiscious mode.
Sun/Solaris box with le card has same behavior when le is in
promiscious mode and in normal operating mode. It doesn't replay to
ping with spoofed MAC address.
So I may cath some of RS/6000 boxes when they are in promiscious mode,
but Suns successfully hide snooping mode from this remote probe.
> Mit freundlichen Gruessen,
> Marc Heuse
Denis Golubev, Moscow, Russia
Jet Infosystems Technical Staff
Phone: (+7 095) 973-48-48 E-mail: dlg @
Fax: (+7 095) 973-48-42