Subject: Re: a remote user can check promiscuous mode
To: Wolfgang Rupprecht <>
From: Ignatios Souvatzis <>
List: tech-net
Date: 12/10/1999 22:10:44
On Fri, Dec 10, 1999 at 12:16:31PM -0800, Wolfgang Rupprecht wrote:
> (Michael Richardson) writes:
> >   The technique is to send an ICMP ping addressed to the node at the IP
> > layer, but not addressed to the node at the ethernet layer.
> I can think of a few more probes like this that are possible.  One can
> also slap on a MAC multicast address and the NIC's IP address and see
> if the NIC is listening to that ethernet multicast.
> I'm not sure that the information that these probes provide is at all
> damaging from a security standpoint.  The probe just shows if the MAC
> filters are pre-filtering ethernet traffic or not.


But our IP layer should reject packets with IPv4 unicast addresses, that are
targeted at link multicast addresses, right? (If I recall

So my guess at the description of the mechanism is that somehow
the M_MCAST/M_BCAST marking isn't done right in case of promiscuous
mode, and this is definitely a bug.