Hans Nilsson wrote:
Hello, I recently read the document "Promiscuous node detection using
ARP packets" [1] about detecting network cards in promiscuous mode and
sniffers with custom-built ARP-packets. For example tools like Cain and
Abel [2] has that capability. But I was wondering if this actually works
against Wireshark?
When I do ifconfig my network card is not listed as being in promiscuous
mode but under options in Wireshark the card is in promiscuous mode and
I can receive all the traffic on my LAN. So is this not a problem
anymore since the NIC doesn't have to be manually set to promiscuous
mode, Wireshark can do that on it's own and therefore won't be detected
by the ARP-technique?
[1]
http://www.securityfriday.com/promiscuous_detection_01.pdf
[2]
http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
First of all, on todays switched networks, the promiscuous mode has a
lot less effect than it has on shared networks (e.g. ancient coax
Ethernet) - using promiscuous mode will often have no effect (but this
depends on your setup, see:
http://wiki.wireshark.org/CaptureSetup/Ethernet).
Using promiscuous mode disables a hardware filter of the network
interface. It's switched on/off by ifconfig or Wireshark (through
libpcap/WinPcap) the same way, so it doesn't make *any difference* which
software switched it.
Wireshark capture options won't show you the current state of the
promisc. mode, but what it will use for capturing.
Regards, ULFL