Hans Nilsson wrote: > Hello, I recently read the document "Promiscuous node detection using > ARP packets" [1] about detecting network cards in promiscuous mode and > sniffers with custom-built ARP-packets. For example tools like Cain and > Abel [2] has that capability. But I was wondering if this actually works > against Wireshark? > > When I do ifconfig my network card is not listed as being in promiscuous > mode but under options in Wireshark the card is in promiscuous mode and > I can receive all the traffic on my LAN. So is this not a problem > anymore since the NIC doesn't have to be manually set to promiscuous > mode, Wireshark can do that on it's own and therefore won't be detected > by the ARP-technique? > > [1] > http://www.securityfriday.com/promiscuous_detection_01.pdf > [2] > http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm >
First of all, on todays switched networks, the promiscuous mode has a lot less effect than it has on shared networks (e.g. ancient coax Ethernet) - using promiscuous mode will often have no effect (but this depends on your setup, see: http://wiki.wireshark.org/CaptureSetup/Ethernet). Using promiscuous mode disables a hardware filter of the network interface. It's switched on/off by ifconfig or Wireshark (through libpcap/WinPcap) the same way, so it doesn't make *any difference* which software switched it. Wireshark capture options won't show you the current state of the promisc. mode, but what it will use for capturing. Regards, ULFL _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
