Re: Promiscuous mode (again)

[Erek Adams <erek () theadamsfamily net>]

On Tue, 18 Sep 2001, snortlst snortlst wrote:

[...snip...]

> So according to that it is mandatory to have NIC in promiscuous mode on
> snort machine.....one of the guys send me an answer that it is not
> mandatory..... Can anybody clarify this issue?

No, it's not mandatory.  It's just more useful.

> (On the other hand - what's the use of having promiscuous mode if we use
> swithches on the network?)

Here's the basic difference between promisc and non-promisc:  Promiscuous mode
will see 'all' packets on the local wire.  Non-Promiscuous will only see
packets directed _AT THAT BOX_.  Now to define ''all packets'--If it's on a
switch, you'll need to be port mirroring or spanning to see all traffic on the
switch.  If you're on a 'True Hub', you'll see all traffic without any effort.
Traffic that is directed 'at that box' means broadcast traffic and traffic
that has a dest. address of the box in question.

As for the use of promisc on a switched net, well...  Only useful if your
switch will allow you to span/mirror or has a special monitor port on it.

Does that help, or does it make it even less clear?  I hope it helps!  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users