RE: Free Tools for detecting sniffers

Wed, 26 May 1999 16:02:10 -0700 


used to be that an suns an ifconfig -a would show if the interface was in
promiscuous mode, however since 2.6 that has been broken. Apparently the
support for this will be re-introduced in new drivers for the OS.


===================================================================
Larry Chin {[EMAIL PROTECTED]}      Technical Specialist - ISC
Sprint Canada                     2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693     Suite 200, North York, Ontario
Fax:   416.498.3507               M2J 5E6
===================================================================

On Wed, 26 May 1999, Petersen, Hans wrote:

> Quoth Mailing Lists [mailto:[EMAIL PROTECTED]], on Wednesday, May 26, 1999
> 8:35 AM:
> > I'm looking for a free (or nearly free) tool in either Linux or NT that
> > could tell me when a nic as been placed in promiscuous mode 
> [snip]
> 
> There is no method of detection (known to me) that allows you to detect
> remotely whether a NIC is in promisc mode.  The way I could see it done
> would be to place a small shellscript in cron, which pages you when PROMISC
> happens - sorta like this (quick script off the top of my head, I haven't
> tested this - this would be for BASH on RedHat Linux 5.2):
> 
> #!/bin/bash
> HOST=myhost
> NIC=eth0
> DATETIME=`date +'$m/%d %H:%M'`
> [EMAIL PROTECTED]
> 
> PROMISC_TEST=`ifconfig $NIC | grep PROMISC`
> PROMISC_LOCK=/root/.$NIC_is_promisc
> 
> # Test if we were in promisc when this script ran last
> if [ ! -e $PROMISC_LOCK ]; then
>    # Did the NIC report the PROMISC flag?
>    if [ "$PROMISC_TEST" != "" ]; then
>       echo "$NIC on $HOST went promisc at $DATETIME" | mail $MYPAGER
>       touch $PROMISC_LOCK
>    fi
> else
>    # We _were_ in promisc, now did it get turned off?
>    if [ "$PROMISC_TEST" = "" ]; then
>       echo "$NIC on $HOST went non-promisc at $DATETIME" | mail $MYPAGER
>       rm -f $PROMISC_LOCK
>    fi
> fi
> 
> 
> Hope this helps,
> 
>    ~Hans
> -- 
> Hans B. Petersen                       -  [EMAIL PROTECTED]
> Network Security Engineer              -  phone 303-581-5600
> SCC Communications Corporation
>          ~o' Sed quis custodiet ipsos custodes? 'o~
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to