I am aware of the way to check on unix and linux variants, however I need a way to find if the interface is in promiscuous mode in win32. The reason being there is no packets recorded passing the interface unless directly addressed. The switch port to the sensor is spanned and the sensor running but no data is seen. Does RealSecure, or the network sensor have the functionality to debug it's status in this regard?
Thanks, Ayden -----Original Message----- From: Sergey V Soldatov [mailto:[EMAIL PROTECTED] Sent: Tuesday, 3 February 2004 12:12 AM To: [EMAIL PROTECTED] Cc: Ayden Nash Subject: Re: [ISSForum] Promiscuous mode [EMAIL PROTECTED]:~|349# ifconfig eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr:XX.XX.XX.XX Bcast:XX.XX.XX.XX Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10756745 errors:0 dropped:0 overruns:0 frame:0 TX packets:16530360 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:625391422 (596.4 Mb) TX bytes:576352430 (549.6 Mb) Interrupt:10 Base address:0xd400 Memory:feafd000-feafd038 eth1 Link encap:Ethernet HWaddr 00:03:47:68:A9:90 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1427505351 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3010277194 (2870.8 Mb) TX bytes:2052 (2.0 Kb) Interrupt:5 Base address:0xd000 Memory:feafc000-feafc038 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:22314653 errors:0 dropped:0 overruns:0 frame:0 TX packets:22314653 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3686342944 (3515.5 Mb) TX bytes:3686342944 (3515.5 Mb) eth1 is in Promiscuous mode (PROMISC) Another way is to use tcpdump (windump - for Windows) to listen to traffic on interesting interface. If it is in promiscuous mode and is on SPAN port of switch you will see packets that addressed not only for your NIC. --- Best regards, Sergey V. Soldatov Department of information security, TNK-BP. "Ayden Nash" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: [ISSForum] Promiscuous mode 02.02.2004 02:35 Hi all, Is there a way to confirm that a NIC is in promiscuous mode once the network sensor has been installed? Thanks, Ayden _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
