Quoth Mailing Lists [mailto:[EMAIL PROTECTED]], on Wednesday, May 26, 1999
8:35 AM:
> I'm looking for a free (or nearly free) tool in either Linux or NT that
> could tell me when a nic as been placed in promiscuous mode
[snip]
There is no method of detection (known to me) that allows you to detect
remotely whether a NIC is in promisc mode. The way I could see it done
would be to place a small shellscript in cron, which pages you when PROMISC
happens - sorta like this (quick script off the top of my head, I haven't
tested this - this would be for BASH on RedHat Linux 5.2):
#!/bin/bash
HOST=myhost
NIC=eth0
DATETIME=`date +'$m/%d %H:%M'`
[EMAIL PROTECTED]
PROMISC_TEST=`ifconfig $NIC | grep PROMISC`
PROMISC_LOCK=/root/.$NIC_is_promisc
# Test if we were in promisc when this script ran last
if [ ! -e $PROMISC_LOCK ]; then
# Did the NIC report the PROMISC flag?
if [ "$PROMISC_TEST" != "" ]; then
echo "$NIC on $HOST went promisc at $DATETIME" | mail $MYPAGER
touch $PROMISC_LOCK
fi
else
# We _were_ in promisc, now did it get turned off?
if [ "$PROMISC_TEST" = "" ]; then
echo "$NIC on $HOST went non-promisc at $DATETIME" | mail $MYPAGER
rm -f $PROMISC_LOCK
fi
fi
Hope this helps,
~Hans
--
Hans B. Petersen - [EMAIL PROTECTED]
Network Security Engineer - phone 303-581-5600
SCC Communications Corporation
~o' Sed quis custodiet ipsos custodes? 'o~
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
