Re: Tools to detect promiscuous interfaces?
From: Vincent Touquet (vincent@ulyssis.org)Date: 08/07/01
- Previous message: Mike Craik: "Re: tcp dump log analysis"
- In reply to: Rafael 'Dido' Sevilla: "Tools to detect promiscuous interfaces?"
- Next in thread: Jose Luis: "Re: Tools to detect promiscuous interfaces?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Aug 2001 17:53:12 +0200 From: Vincent Touquet <vincent@ulyssis.org> To: "Rafael 'Dido' Sevilla" <sevillar@team.ph.inter.net> Subject: Re: Tools to detect promiscuous interfaces? Message-ID: <20010807175312.A22393@ace.ulyssis.org>
On Mon, Aug 06, 2001 at 04:32:16PM +0800, Rafael 'Dido' Sevilla wrote:
>Does anyone know of any free tools for detecting whether promiscuous
>ethernet interfaces are active on a given ethernet segment? Other
>than inspecting each and every such machine for suspicious behavior...
Ehm, IMHO this is not possible.
The packets are on the wire and the ethernet interface just grabs them as they pass. There is _no way_ to remotely check if the ethernet frames get passed onto the IP layer or not.
You know, as was posted on one of securityfocus lists, you can also install a totally undetectable ethernet bridge (operating solely at layer 2 - ethernet frame layer), which logs the frames. The bridge doesn't need an ip, doesn't do ARP or anything, it just listens and logs. Now try and detect this remotely ;)
This is a powerful forensics tool (you have a complete log of the frames which passed on the wire) and also a powerful tool for intruders (but a knive always cuts on both sides in the security world) - much like a hardware based keylogger.
Regards
-v
- Previous message: Mike Craik: "Re: tcp dump log analysis"
- In reply to: Rafael 'Dido' Sevilla: "Tools to detect promiscuous interfaces?"
- Next in thread: Jose Luis: "Re: Tools to detect promiscuous interfaces?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
