Bugtraq mailing list archives
Re: Incorrect Linux ARP behavior
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Sat, 19 Sep 1998 08:40:45 -0400
In message <199809190201.TAA15205 () eris webcom com>, pedward () WEBCOM COM writes:
if(ether_header_destination != device_hardware_address) return;When you place the interface in promiscuous mode (on Linux), this chunk of code is exactly what you're bypassing. It would probably be more accurate to say that the sniffer detector simply finds machines that are in promiscuous mode, and exhibit the behaviour that ARPs are returned for ETH's not it's own. You can detect if a box is in promiscuous mode easier if: Send a packet with the correct IP of the box:odd port, but the wrong ETH address. If you get an RST, the box is in promiscuous mode. If you do not, it's not.
That depends on the stack. Many platforms already check the Ethernet address before accepting IP packets. (I can't speak for Linux, but I did check several others a few years ago.)
Current thread:
- Re: Incorrect Linux ARP behavior Steven M. Bellovin (Sep 18)
- <Possible follow-ups>
- Re: Incorrect Linux ARP behavior Steven M. Bellovin (Sep 19)