Ethereal-users: Re: [Ethereal-users] What does it mean to "Capture" packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 27 Aug 2004 11:45:18 -0700
Jerry Talkington wrote:


You are partially correct.  It is possible for network monitors to
detect nics in promiscuous mode.
...sometimes. There's nothing *electrically* different about a promiscuous-mode network interface, so there's no guaranteed low-level way of detecting a promiscuous interface. There might be Token Ring mechanisms for discovering whether there's a promiscuous-mode interface on the network, but there's no Ethernet mechanism of that sort. I think the detection mechanisms detect things such as slower network responses from the machine running in promiscuous mode (because, for example, they're processing more packets) or perhaps responses to packets that the machine wouldn't be expected to respond to - but a machine that's running as a *purely* passive sniffer (i.e., not configured to treat any packets on the interface as regular network input) might be undetectable.