Oldest trick in the book: cut the Tx pair.
Jeff
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jan Kasprzak
Sent: Friday, November 20, 1998 5:58 AM
To: [EMAIL PROTECTED]
Subject: Sniffer detection
Hello,
I have seen a program which can detect the machines running
tcpdump or any other sniffer (to be exact, having an interface in the
promiscuous mode). The program did this by sending a special packet for
every machine on the local network. The packet was the normal ARP query
except that it has some non-broadcast address instead of ff:ff:ff:ff:ff:ff
in the destination HW address field. The Linux box in promiscuous mode
can see this query and sends an ARP reply.
Can the Linux ARP be modified to not replying to non-broadcast
ARP packets?
-Yenya
--
\ Jan "Yenya" Kasprzak <kas at fi.muni.cz> http://www.fi.muni.cz/~kas/
\\ PGP: finger kas at aisa.fi.muni.cz 0D99A7FB206605D7 8B35FCDE05B18A5E //
\\\ Czech Linux Homepage: http://www.linux.cz/ ///
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
