FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-04-2010, 06:38 AM
Bruno Wolff III
 
Default how to find out promiscuous mode

On Thu, Feb 04, 2010 at 09:06:27 +0200,
Gilboa Davara <gilboad@gmail.com> wrote:
>
> Having said all that, if your network is switched (as opposed to using
> cheap FE hubs), only broadcast traffic (ARP/DHCP/etc) will be visible in
> promisc mode.

Mostly. There are other circumstances where a packet can be sent to all of
the ports even without machines/people trying to game things.

General advice is to treat switches as a way of improving network related
performance (relative to hubs), not as security devices.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-04-2010, 09:02 AM
Gilboa Davara
 
Default how to find out promiscuous mode

On Thu, 2010-02-04 at 01:38 -0600, Bruno Wolff III wrote:
> On Thu, Feb 04, 2010 at 09:06:27 +0200,
> Gilboa Davara <gilboad@gmail.com> wrote:
> >
> > Having said all that, if your network is switched (as opposed to using
> > cheap FE hubs), only broadcast traffic (ARP/DHCP/etc) will be visible in
> > promisc mode.
>
> Mostly. There are other circumstances where a packet can be sent to all of
> the ports even without machines/people trying to game things.
>
> General advice is to treat switches as a way of improving network related
> performance (relative to hubs), not as security devices.

I fully agree. (I never meant to suggest that switches are to be treated
as security devices - though I can understand why my post could be read
as such)
If you want to move sensitive information over the wire, use strong
encryption.

- Gilboa

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-04-2010, 10:17 AM
Alan Cox
 
Default how to find out promiscuous mode

On Thu, 04 Feb 2010 09:06:27 +0200
Gilboa Davara <gilboad@gmail.com> wrote:

> On Wed, 2010-02-03 at 23:11 +0100, Vadkan Jozsef wrote:
> > How can I find out that someone is using it's network card in
> > promiscuous mode in a subnet?
> >
> > Thank you!
> >
>
> You can't.
> ... and even if you could, someone could potentially use a passive
> splitter and yank all the packets of the subnet.
>
> Having said all that, if your network is switched (as opposed to using
> cheap FE hubs), only broadcast traffic (ARP/DHCP/etc) will be visible in
> promisc mode.

Which won't save you against a smart attacker unless you are keeping
an eye on the traffic on the network.

If I want to listed to IP traffic between A and B I can spoof ARP
frames in both directions, the switch will ensure neither box sees the
unicast arps being used to poison the other and I can then forward the
frames with the mac headers faked.

Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-04-2010, 11:59 AM
Gilboa Davara
 
Default how to find out promiscuous mode

On Thu, 2010-02-04 at 11:17 +0000, Alan Cox wrote:
> On Thu, 04 Feb 2010 09:06:27 +0200
> Gilboa Davara <gilboad@gmail.com> wrote:
>
> > On Wed, 2010-02-03 at 23:11 +0100, Vadkan Jozsef wrote:
> > > How can I find out that someone is using it's network card in
> > > promiscuous mode in a subnet?
> > >
> > > Thank you!
> > >
> >
> > You can't.
> > ... and even if you could, someone could potentially use a passive
> > splitter and yank all the packets of the subnet.
> >
> > Having said all that, if your network is switched (as opposed to using
> > cheap FE hubs), only broadcast traffic (ARP/DHCP/etc) will be visible in
> > promisc mode.
>
> Which won't save you against a smart attacker unless you are keeping
> an eye on the traffic on the network.
>
> If I want to listed to IP traffic between A and B I can spoof ARP
> frames in both directions, the switch will ensure neither box sees the
> unicast arps being used to poison the other and I can then forward the
> frames with the mac headers faked.
>
> Alan

I'm well aware of that.
Please read my second comment.

- Gilboa

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-07-2010, 02:15 AM
Markus Falb
 
Default how to find out promiscuous mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2010 23:28, Bill Campbell wrote:
> On Wed, Feb 03, 2010, Vadkan Jozsef wrote:
>> How can I find out that someone is using it's network card in
>> promiscuous mode in a subnet?
>
> We use the swatch log watcher, to detect lines like this in
> /var/log/messages (this is from a system running VMware virtual
> machines in bridging mode so this is normal):

i believe the interface flags are defined in the kernel sources in
include/linux/if.h
#define IFF_PROMISC 0x100 /* receive all packets */

You can read the flags from /sys

Promiscous mode off:
#$ cat /sys/class/net/eth0/flags
0x1003

Promiscous mode on:
#$ cat /sys/class/net/eth0/flags
0x1103

Anyway, both grepping the logs or looking at /sys requires local access.

- --
best regards,
markus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktuMD4ACgkQYoWFBIJE9eX3aQCgs56Gd8PJfN gIsgJNy/YPh/VE
Y2sAn0azT/GEXPg8bzIABirICo19W3km
=fCT8
-----END PGP SIGNATURE-----

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-03-2010, 06:02 AM
Nifty Cluster Mitch
 
Default how to find out promiscuous mode

On Thu, Feb 04, 2010 at 09:45:26AM +1100, Les Bell wrote:
> Vadkan Jozsef <jozsi.avadkan@gmail.com> wrote:
>
> >>
> How can I find out that someone is using it's network card in
> promiscuous mode in a subnet?
> <<
>
> http://sourceforge.net/projects/prodetect/
>

Strictly you cannot tell if a remote card is in promiscuous mode.

Some card drivers correctly switch to promiscuous mode when more than
one multicast address is being listened to and there is no external
clue that it has done so. For what it is worth the MAC of the card can
see all the bits on the wire and above the MAC are a collection
of hardware and software filters that gate the bits further
up the stack.

Switches limit the ability of a host to snoop but some
traffic is still seen on all nodes. Once a host is seen some
attacks become possible which is why the expensive switches
have a market.


--
T o m M i t c h e l l
Found me a new hat, now what?

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org