How can I find out that someone is using it's network card in promiscuous mode in a subnet? Thank you!
On Wed, Feb 03, 2010, Vadkan Jozsef wrote:>How can I find out that someone is using it's network card in >promiscuous mode in a subnet?We use the swatch log watcher, to detect lines like this in /var/log/messages (this is from a system running VMware virtual machines in bridging mode so this is normal): Jan 28 17:35:57 pogo kernel: device eth1 entered promiscuous mode Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 Our Foreign dealings are an Open Book, generally a Check Book. Will Rogers
Vadkan Jozsef <jozsi.avadkan at gmail.com> wrote:>>How can I find out that someone is using it's network card in promiscuous mode in a subnet? << http://sourceforge.net/projects/prodetect/ Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144
"Les Bell" <lesbell at lesbell.com.au> wrote:>>http://sourceforge.net/projects/prodetect/ << Sorry - just remembered that's a Windows program. The classic tool for monitoring IP/Ethernet address pairings is arpwatch, but unlike prodetect, it will only report an ARP cache poisoning attack, not someone silently sniffing (which isn't much use on switched networks anyway). Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144