Re: Incorrect Linux ARP behavior

[pedward () WEBCOM COM (pedward () WEBCOM COM)]

> if(ether_header_destination != device_hardware_address) return;

When you place the interface in promiscuous mode (on Linux), this chunk
of code is exactly what you're bypassing.

It would probably be more accurate to say that the sniffer detector
simply finds machines that are in promiscuous mode, and exhibit the
behaviour that ARPs are returned for ETH's not it's own.

You can detect if a box is in promiscuous mode easier if:

Send a packet with the correct IP of the box:odd port, but the wrong ETH
address.  If you get an RST, the box is in promiscuous mode.  If
you do not, it's not.

> Seth M. McGann / smm () wpi edu        "Security is making it

--Perry

--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harrington () webcom com  Think Blue.  /\