>    Andrew> for situations like that, i used to just ifconfig my lan-line to
>    Andrew> 0.0.0.0 and then plug it in.  seemed to work fine for me.  it
>    Andrew> didn't expresly inhibit traffic in and out (ipfw could do that i
>    Andrew> guess, but there's no ipfw for ipv6 yet, right?) but i could
>    Andrew> certainly tcpdump.
>
>  This may be worse because an IP address of 0.0.0.0 will accept any
>datagram that arrives at the machine, so if you have promiscuous mode on,
>you may have problems.

if i have tcpdump running...i'm usually in promiscuous mode.

>  In particular, you may respond to a broadcast ping, which if you are
>strictly in eavesdropping mode (something a netadmin wants to do if they
>want an audit) then an attacker may notice you.

actually...the address 0.0.0.0 comes with the default netmask of
0.255.255.255, which almost guarantees that i won't process a
broadcast ping request.  unless it comes from a cisco router, that is.

um...is there an rfc on that somewhere?

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."