Subject: Re: a remote user can check promiscuous mode
To: None <email@example.com>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 12/10/1999 23:08:49
>>> http://www.l0pht.com/antisniff/tech-paper.html claims that a remote
>>> user can examine that whether a interface of NetBSD machine is
>>> promiscuous mode or not.
>>> Is this bug?
>> It is a bug. The Ethernet drivers that exhibit such behavior should
>> be fixed.
> Why is it a bug?
Because putting the interface into promiscuous mode for BPF's purposes
shouldn't affect what packets are received by the various protocol
stacks. Since promiscuous mode turns off the hardware's filtering, we
have to do it in software. The behavior depended on by antisniff
amounts to *not* doing it in software.
> The only fix I see for this is to actually disable the NIC's filter,
> and do it in software, thus slowing things down again. Isn't that
> exactly what the filter is for in the NIC?
Yes...but promiscuous mode amounts to just that, to disabling the
harware filtering, so that all packets get kicked upstairs to the
kernel. This is exactly what BPF wants, but we can't both disable the
filter for BPF and enable the filter for normal packet reception. (It
would be Really Nice to see network hardware that, when in promiscuous
mode, tagged each packet with a bit indicating whether the packet would
have been received were it not for promiscuous mode. I know of no such
You could, I suppose, put two interfaces in the machine, connect them
to the same network, configure one of them BPFONLY, and use that one
for BPF listening. But that needs a second network interface (not even
possible on some machines). (It also needs patches to support BPFONLY,
but they're simple enough; I can send them to anyone who wants.)
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B