Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Promiscuous mode

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 14 Aug 2003 15:43:05 -0400
At 10:00 AM 8/14/2003 -0500, John Creegan wrote:

I'm thinking that "brings the interface up in promiscuous mode" is a
bit of a misnomer.  That appears to be the effect because of libpcap.
I'm thinking that "libpcap hands the IP stack all the packets off the
sniffer interface as if it were in promiscuous mode" is more accurate.
It's not a misnomer. If your hardware isn't in promisc mode, pcap physically cannot receive packets that are unicast addressed to other machines. It's an absolute impossibility that is enforced in hardware.
The key point is to realize that promsicuous mode is a _HARDWARE_ setting of the ethernet adapter, not a software one of pcap.
So I think your ifconfig is lying to you, the hardware of your ethernet adapter is always in promisc mode, or you're seeing broadcasted packets.
Pcap will pick up every packet that your ethernet adapter decodes and passes along to the ethernet driver of your OS. Part of the ethernet specification is that normally ethernet cards only pick up packets that are addressed to them, or to a broadcast/multicast address. Unicast packets addressed to other ethernet adapters are ignored in hardware, unless the adapter is in promiscuous mode.
Since your ethernet adapter will not decode packets which are not addressed to it or broadcasted unless it is in promiscuous mode, it would be impossible for pcap to pick up those packets since the hardware ignored them completely.
Now of course, packets which are sent to the ethernet broadcast address will always be decoded by the ethernet hardware. So if you're seeing things like arps, well.. you should be because they are broadcasts. 







-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: