Re: Promiscuous Mode

From: don bailey (don.bailey@gmail.com)
Date: Wed Mar 19 2008 - 15:59:55 EST

• Next message: tclahr@br.ibm.com: "RE: Session Hijacking over HTTP"
• Previous message: xx yy: "Re: Pentesting tools for Linux IP Tables"
• In reply to: Simon Templar: "Promiscuous Mode"
• Next in thread: Amar Kulo: "Re: Promiscuous Mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Templar wrote:
> Hello everybody,
>
> I have a question concerning "Promiscuous Mode", I know what it is,
> but I would like to know exactly what is happening behind the scenes
> when I change my NIC to this mode
>
> For example: what is the technicality in writing the command:
> ifconfig eth0 promisc?
>

A flag is basically passed through the network stack (IFF_PROMISC) down
into the trenches of your device driver. Your device driver will decide
if it can really handle this flag.

If it can, the driver will notify the chipset of your particular device
that promiscuous mode is requested. Essentially, this bypasses the
normal filtering mechanism used by the chipset.

On initialization, your ethernet card's chipset must be programmed to
use a specific MAC (or MACs if your chipset requires you to program
for {broad,multi}cast addresses). This address becomes a filter for
processing messages. When a signal comes in off a hot wire, the chipset
translates the electrical signal into a digital signal (packet). It
then checks the first six bytes of this packet against the filter. If
it matches, we have a packet destined for "this" host.

Promiscuous mode tells the chipset to temporarily "ignore" the filter
and pass up any data it receives off the hot wire. Whether you see
messages not destined for you is dependent on the network architecture.

When you unset promiscuous mode the chip resumes filtering like normal
but without having to reinitialize the filter(s).

A simple ethernet driver to read is probably the ThunderLAN driver for
Linux. If you're using *BSD, I suggest reading the Happy Meal driver
(probably if_hme.c but it's been a while).

Good luck,
D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH4X7FyWX0NBMJYAcRAkReAKDA5YykGARLeRiRly7H/b0WaXH9vQCgrGUh
r0axwwANBZfVZJjNJoBgxzw=
=M5Ex
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: tclahr@br.ibm.com: "RE: Session Hijacking over HTTP"
• Previous message: xx yy: "Re: Pentesting tools for Linux IP Tables"
• In reply to: Simon Templar: "Promiscuous Mode"
• Next in thread: Amar Kulo: "Re: Promiscuous Mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT