From owner-freebsd-net  Mon Feb 15 11:37:02 1999
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA19318
          for freebsd-net-outgoing; Mon, 15 Feb 1999 11:37:02 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from databus.databus.com (databus.databus.com [198.186.154.34])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA19310
          for <freebsd-net@FreeBSD.ORG>; Mon, 15 Feb 1999 11:36:56 -0800 (PST)
          (envelope-from barney@databus.databus.com)
From: Barney Wolff <barney@databus.com>
To: freebsd-net@FreeBSD.ORG
Date: Mon, 15 Feb 1999 14:31 EST
Subject: Re: Router stats & NIC in prom. mode...
Content-Type: text/plain
Message-ID: <36c877540.71db@databus.databus.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Send a packet to the IP of the suspect machine, with a "wrong" MAC.
If it answers, it's snooping.  Not surefire, of course, but probably
works unless the bad guy has altered the net code.  Clipping the xmit
lead is harder than it used to be.

Barney Wolff  <barney@databus.com>

> From: "Louis A. Mamakos" <louie@TransSys.COM>
> Date: Mon, 15 Feb 1999 13:55:12 -0500
> 
> > > Also, I need a program that checks the local ethernet for network cards
> > > that are in promiscous(sp) mode.. i found a few, but none would compile on
> > > FreeBSD.. if anyone can recommend anything it would be appriciated.
> 
> I'm really curious.  What mechanism can you use to detect that another
> Ethernet MAC is accepting all frames, rather than filtering on multicast,
> broadcast or frames addressed to the built-in MAC address?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message