Ok, thanks for the information both of you. I think I'll have to do some testing to see what happens, trying some of the test packets in the PDF. I can post my results here later.
On Fri, 13 Oct 2006 15:28:30 -0700, "Guy Harris" <[EMAIL PROTECTED]> said: > > On Oct 13, 2006, at 11:19 AM, Hans Nilsson wrote: > > > Hello, I recently read the document "Promiscuous node detection using > > ARP packets" [1] about detecting network cards in promiscuous mode and > > sniffers with custom-built ARP-packets. For example tools like Cain > > and > > Abel [2] has that capability. But I was wondering if this actually > > works > > against Wireshark? > > > > When I do ifconfig my network card is not listed as being in > > promiscuous > > mode but under options in Wireshark the card is in promiscuous mode > > and > > I can receive all the traffic on my LAN. > > Ifconfig does not necessarily report whether a device is really in > promiscuous mode. For example, on Linux, as I remember, in Linux 2.2 > and later there's a promiscuous mode flag that can be set and cleared > with ifconfig and the ioctls ifconfig uses, and another promiscuous > mode flag that's set and cleared with different ioctls and that's not > available to ifconfig. > > Libpcap's used the latter flag for quite a while. > > > So is this not a problem > > anymore since the NIC doesn't have to be manually set to promiscuous > > mode, Wireshark can do that on it's own > > Wireshark has always put the card into promiscuous mode by calling > libpcap; you never had to do it from the command line. > > > and therefore won't be detected by the ARP-technique? > > The ARP technique depends on packets received by virtue of being in > promiscuous mode (i.e., packets that the network adapter would not > have supplied to the host if the adapter hadn't been in promiscuous > mode) being supplied not only to whatever mechanism is used by sniffer > applications but also to the main networking stack. > > If that happens, the ARP technique might work; if so, it works if the > adapter is in promiscuous mode, regardless of how it's put into > promiscuous mode. > > If that doesn't happen, the ARP technique wouldn't work. > > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Choose from over 50 domains or use your own _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
