RE: sniffer in promiscuous mode

From: Damon Sisola (dsisola@osius.com)
Date: 02/07/02 

From: "Damon Sisola" <dsisola@osius.com>
To: "'Siddharta Govindaraj'" <govind@iiitb.ac.in>
Date: Thu, 7 Feb 2002 10:29:15 -0800

I had the same problem, and a strange resolution. I was using RH Linux with
promiscuous mode tools including snort, tcpdump, and iptraf, and all of
those tools would only see broadcasts and traffic to/from the localhost. It
ended up that the NIC being used to monitor the segment was negotiating 10MB
half-duplex and all of the other hosts on the hub were running 100MB
full-duplex. Once I got the monitor interface running at 100, all of the
traffic flowing across the wire became visible.

I don't quite understand why this would happen, and if anyone has an
explanation please share with us.

Damon

-----Original Message-----
From: Smith, Chris [mailto:csmith@Calence.com]
Sent: Wednesday, February 06, 2002 12:14 PM
To: 'Siddharta Govindaraj'
Cc: 'security-basics@securityfocus.com'
Subject: RE: sniffer in promiscuous mode

Are you in a switched environment? If so you will need to span ports (copy
traffic from one port to another) so the port with the sniffer gets copies
of the frames and can read the traffic. Normally switches utilize
"microsegmentation" - only copying frames to the port owning the destination
MAC address(es). You will see ARP and other broadcast traffic as broadcasts
(mac = FF:FF:FF:FF:FF:FF) are copied to each port.

-----Original Message-----
From: Siddharta Govindaraj [mailto:govind@iiitb.ac.in]
Sent: Tuesday, February 05, 2002 8:04 AM
To: security-basics@securityfocus.com
Subject: sniffer in promiscuous mode

Hi,

I have a funny problem with the ethereal packet sniffer. It correctly
captures all packets entering or leaving my interface, but in promiscuous
mode, it only seems to capture ARP, NETBIOS, IPX, RIP and such protocols,
and never seems to get any UDP or TCP packets ! I have tried other sniffers,
and they all exhibit the same behaviour, so I dont think its a sniffer
problem. Is there something else I have to do to capture TCP packets ? Or
could it be something to do with Wincap ?

Thanks
Siddharta

Relevant Pages

  • RE: sniffer in promiscuous mode
    ... Are you in a switched environment? ... traffic from one port to another) so the port with the sniffer gets copies ... Subject: sniffer in promiscuous mode ... Is there something else I have to do to capture TCP packets? ...
    (Security-Basics)
  • RE: Caching a sniffer
    ... > If you have a decent network switch in your environment ... From this text I got Port Mirroring, ... on promiscuous mode which will allow you to sniff the network. ... thus "disabling the switch component of the ports". ...
    (Security-Basics)
  • [TOOL] PromiscDetect, Windows Based Promiscuous Mode Detector
    ... What would be the response for an adapter in "normal" mode? ... the adapter is in promiscuous mode it probably is ... My adapter is in promiscuous mode but there is no sniffer in my ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: Detect a sniffer ?
    ... I heard once that a NIC in promiscuous mode has a hardware address of ... look it up in DHCP or in your documentation ... I also believe that the sniffer that comes with SMS has a ... > detect if a user is running a packet sniffer on my network? ...
    (microsoft.public.security)
  • promiscuous mode in solaris
    ... I am trying to set an ethernet port in promiscuous mode and also want ... printf("ioctl: SIOCGIFFLAGS", NULL); ... 2- How can we determine if the interface is in promiscuous or not. ...
    (comp.unix.solaris)