|
Honeypots
mailing list archives
RE: [inbox] undetectable NIC in promiscuous mode
From: "Bement, Daniel" <dbement1 () pghboe net>
Date: Fri, 5 Mar 2004 16:25:09 -0500
There have been situations (depending on the hardware) I have seen where if one of the wires in the TX pair is cut or
(not making good connection) it will still maintain link with the switch while not allowing any data to pass through to
the switch..
Maybe a similar situation would produce the results you are hoping for....
-----Original Message-----
From: Chris Brenton [mailto:cbrenton () chrisbrenton org]
Sent: Friday, March 05, 2004 3:49 PM
To: Curt Purdy
Cc: Jose_Maria_Gonzalez () dell com; honeypots () securityfocus com
Subject: RE: [inbox] undetectable NIC in promiscuous mode
On Fri, 2004-03-05 at 12:29, Curt Purdy wrote:
Yes, there are protocols that do not depend on ip such as arp, dhcp, and
others.
Humm, I've never seen this myself. Please describe a situation I can try
and duplicate were an interface that does not have IP bound to it would
start transmitting ARP or DHCP packets.
A sure way to avoid
detection is to snip your TX lines 1&2.
This _does not_ work. I have tried this with both switches and hubs from
3COM, Cisco, D-Link & Netgear. Cutting the TX lines means you can not
initial the port to establish link. No link means you will not see
traffic.
HTH,
C
 By Date 
By Thread
Current thread:
|
Intro
