Nmap Announce mailing list archives

Re: Promiscuous mode detection

From: Bennett Todd <bet () newritz mordor net>
Date: Thu, 4 Mar 1999 21:37:58 +0000

The code posted reports whether the machine is it run on has its interface in
promisc mode; so does "ifconfig -a|grep PROMISC".

If you want to check other systems, well, the short answer is, you can't, in
general. This gets discussed a lot:-). Some versions OSes can be detected if
they are put in promisc mode; a typical style hack is to send a ping to the
IP broadcast address with a specific destination MAC address not found on
your net, and listen for answers. I don't know how to gen up such a packet.
It might suffice to stuff an arp entry into the arp cache for the IP broadcast
address, I dunno if that would work. May work better if you use the "other"
bcast addr; e.g. the Linux system I'm looking at now is using the .255 bcast
addr, so it might work better to try setting the arp entry for the .0 addr to
some known-absent MAC addr, then try sending a ping at the .0 addr. Anybody
answers, their interfaces are in promisc, but some OSes might not answer even
if their IF is promisc.

-Bennett

Current thread:

Promiscuous mode detection Bruce Dennison (Mar 04)
- Re: Promiscuous mode detection Jeremy Johnson (Mar 04)
  - Re: Promiscuous mode detection Andrew Brown (Mar 04)
- Re: Promiscuous mode detection Bennett Todd (Mar 04)
  - Re: Promiscuous mode detection Adam Shostack (Mar 04)
    - Re: Promiscuous mode detection Dug Song (Mar 04)
    - Re: Promiscuous mode detection rich (Mar 04)
    - Re: Promiscuous mode detection Eric Estabrooks (Mar 04)
  - Re: Promiscuous mode detection Jordan Ritter (Mar 04)
  - Re: Promiscuous mode detection Joel Eriksson (Mar 04)
- Re: Promiscuous mode detection Arley Carter (Mar 04)
- Re: Promiscuous mode detection Joel Eriksson (Mar 04)
- <Possible follow-ups>
- Re: Promiscuous mode detection Jon Marler (Mar 04)
- Re: Promiscuous mode detection Bruce Dennison (Mar 04)

(Thread continues...)