On Mon, 5 Mar 2001, Jaan Sarv wrote: > > Also, paranoid network administrators might be a little upset by it, since > > Linux sends out a frame indicating it is switching into (or out > > of) promiscuous mode. This is possible evidence that you're running a > > sniffer of some kind (such as snort). > > Hi, > > How can I recognize such frames/packets? I know this isn't very effective > method when trying to discover sniffers, but worth a shot. > > Is there a way to disable those frames/packets? > > Jaan > > a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the "promscuous mode" packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing.
Regards, Alex.