Subject: Re: Detecting Sniffing?
To: None <mouse@Collatz.McRCIM.McGill.EDU>
From: Charles M. Hannum <>
List: current-users
Date: 01/13/1995 11:03:10
   Not if the person is really thorough.  But if all that's being done is
   something like SunOS nit is being used, there is a way: emit a packet
   addressed to an Ethernet address not in use on that segment, but with
   the suspect machine's IP address in the IP to-address field.  Make it
   something you can count on to draw a reply, like an ICMP echo request
   ("ping").  Then if the interface is promiscuous, the packet will be
   picked up, the Ethernet code will blindly strip the Ethernet header and
   kick it upstairs to IP, which will obediently reply to you.

Nope.  I quote:

		if ((ifp->if_flags & IFF_PROMISC) &&
		    (eh->ether_dhost[0] & 1) == 0 && /* !mcast and !bcast */
		    bcmp(eh->ether_dhost, sc->sc_arpcom.ac_enaddr,
			    sizeof(eh->ether_dhost)) != 0) {

Doing otherwise would be a *significant* performance hit.