Subject: Re: Detecting Sniffing?
To: None <greywolf@lonewolf.ithaca.com>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
List: current-users
Date: 01/13/1995 10:05:44
> There is no way to detect that someone else's net IF is in promisc
> mode.

Not if the person is really thorough.  But if all that's being done is
something like SunOS nit is being used, there is a way: emit a packet
addressed to an Ethernet address not in use on that segment, but with
the suspect machine's IP address in the IP to-address field.  Make it
something you can count on to draw a reply, like an ICMP echo request
("ping").  Then if the interface is promiscuous, the packet will be
picked up, the Ethernet code will blindly strip the Ethernet header and
kick it upstairs to IP, which will obediently reply to you.  But if the
interface isn't running promiscuous, the packet will not even be picked
up off the wire.  (The Ethernet-from and IP-from addresses in the
packet you emit should probably be correct values for your own
interface on that segment.)

This assumes Ethernet.  Other media may or may not have similar
potential. :-)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu