Hi, results look consistent to me. No matter how the NIC is set to promiscuous mode, the result is the same.
Thanx, Jaap On Mon, 16 Oct 2006, Hans Nilsson wrote: > Ok, here are the results. I scanned a box running Linux 2.6.X with > different NIC and Wireshark settings using Cain & Abel from a box > running Windows XP SP2. > _________________________________________________________________________B31________B16______B8_______Gr_______M0_______M1_______M3 > Wireshark_Off_-_NIC_Normal_mode___________________________________________0_________0________0________0________0________X________X > Wireshark_Off_-_NIC_Promiscuous_mode______________________________________X_________X________X________X________X________X________X > Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options______0_________0________0________0________0________X________X > Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__________X_________X________X________X________X________X________X > Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_________X________X________X________X________X________X > Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_____X_________X________X________X________X________X________X > > If the formatting's screwed up, here's an image: > http://i9.tinypic.com/2dhwbpc.png > > X = Got ARP Reply > 0 = Did not get ARP Reply > B31 = ARP destination FF:FF:FF:FF:FF:FE > B16 = ARP destination FF:FF:00:00:00:00 > B8 = ARP destination FF:00:00:00:00:00 > Gr = ARP destination 01:00:00:00:00:00 > M0 = ARP destination 01:00:5e:00:00:00 > M1 = ARP destination 01:00:5e:00:00:01 > M3 = ARP destination 01:00:5e:00:00:03 > > Read the PDF from my previous post for more clarification: > http://www.securityfriday.com/promiscuous_detection_01.pdf > > So apparently you can quite easily detect if someone's running Wireshark > on your network. (Assuming they haven't set up special rules to not > reply to these revealing ARP-packets or something like that.) > > > On Fri, 13 Oct 2006 07:19:17 -1100, "Hans Nilsson" <[EMAIL PROTECTED]> > said: > > Hello, I recently read the document "Promiscuous node detection using > > ARP packets" [1] about detecting network cards in promiscuous mode and > > sniffers with custom-built ARP-packets. For example tools like Cain and > > Abel [2] has that capability. But I was wondering if this actually works > > against Wireshark? > > > > When I do ifconfig my network card is not listed as being in promiscuous > > mode but under options in Wireshark the card is in promiscuous mode and > > I can receive all the traffic on my LAN. So is this not a problem > > anymore since the NIC doesn't have to be manually set to promiscuous > > mode, Wireshark can do that on it's own and therefore won't be detected > > by the ARP-technique? > > > > [1] > > http://www.securityfriday.com/promiscuous_detection_01.pdf > > [2] > > http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm > > -- > > Hans Nilsson > > [EMAIL PROTECTED] > > > > -- > > http://www.fastmail.fm - A fast, anti-spam email service. > > > > _______________________________________________ > > Wireshark-users mailing list > > [email protected] > > http://www.wireshark.org/mailman/listinfo/wireshark-users > -- > Hans Nilsson > [EMAIL PROTECTED] > > -- > http://www.fastmail.fm - Same, same, but different?? > > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users > >
_______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
