Re: Incorrect Linux ARP behavior

[smb () RESEARCH ATT COM (Steven M. Bellovin)]

In message <199809190201.TAA15205 () eris webcom com>, pedward () WEBCOM COM writes:
> > if(ether_header_destination != device_hardware_address) return;
>
> When you place the interface in promiscuous mode (on Linux), this chunk
> of code is exactly what you're bypassing.
>
> It would probably be more accurate to say that the sniffer detector
> simply finds machines that are in promiscuous mode, and exhibit the
> behaviour that ARPs are returned for ETH's not it's own.
>
> You can detect if a box is in promiscuous mode easier if:
>
> Send a packet with the correct IP of the box:odd port, but the wrong ETH
> address.  If you get an RST, the box is in promiscuous mode.  If
> you do not, it's not.

That depends on the stack.  Many platforms already check the Ethernet
address before accepting IP packets.  (I can't speak for Linux, but
I did check several others a few years ago.)