[ronnie sahlberg <ronniesahlberg@xxxxxxxxx>]

Linux for example has weak bounding between a NIC and the IP address
that are assigned in the IP layer.

Say you have two NICs connected to the same network, eth0 and eht1
eth0 has an IP address a.b.c.d  but eth1 does not have any ip address assigned.

Due to the fact that that stack treats all IP addresses as global to
the machine and not really bound to a particular interface (ifconfig
lies to you here and makes you belive the ip address is bound to a
nic)

someone can :
broadcast ARP for a.b.c.d and will get TWO replies, one reply from
each of the NICs.

someone can ARP for a.b.c.d on a garbage nonexistant NIC and you he/she will
get a reply from your NIC that is in promisc mode, even though that
particular NIC did not have ip address a.b.c.d   as long as a.b.c.d is
the ip address of some other interface on your linux box.

many many other techniques exist as well.


(the weak bonding between NIC and ip address cause lots of problems
with multihomed boxens sitting behing broken loadbalancers and they
have then to set up software arp/mac filtering in the network stack to
prevent these replies)


On Fri, 27 Aug 2004 14:51:55 -0500, Stef <stefmit@xxxxxxxxx> wrote:
> I have my ethereal running on a non-IP-bound NIC, on my Linux box. Can
> you please explain your statement to me?
> 
> Thx,
> Stef
> 
> On Sat, 28 Aug 2004 05:40:17 +1000, ronnie sahlberg
> <ronniesahlberg@xxxxxxxxx> wrote:
> <snip>
> > One of many many ways to spot such a NIC is trying to ping your host but sending
> > the ping to a dummy/fake MAC address.
> > If your NIC is in promisc mode  it will be passed through the NIC and
> > your network stack will respond to the ping.
> <snip>
> 
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>