Every ethernet card has a MAC address with it. The job of the local routing package is do translate IP addresses into these MAC addresses. In this way the lower-level ethernet protocol can "talk" to the upper level IP protocol.

The routing package on your network knows the MAC address of every ethernet card attached to its segment. When a router gets a new datagram it decides that it is local by matching the IP address to a MAC address on some machine. The router then plugs in the MAC address in the "to" field of the datagram and sends it out on the wire. Every machine then takes a look at the datagram as it passes them. If there is a match (the datagrams MAC matches the machines), then the machine will copy the information to the kernel.

Promiscuous mode is when a card copies in *all* datagrams on the segment, even those not addressed to it. There are legitimate network oriented reasons to do this. Flow analysis, problem determination, and code debuging are a few. However most machines shouldn't be doing this. With an ethernet card in promiscuous mode and a "packet sniffer" software package to process the packets, someone can listen in on *all* local traffic. Note that this is a passive attack...none of the other machines on the network know that this other machine is copying packets destined for them since only a copy type operation is taking place.

The Bad Guys(tm) install packet sniffer just as described to grab passwords and login information off the net. The software they use is generally quite compact and directed: it will copy only those packets that have a high probability of having sensitive information. Since passwords fly across the network quite often, it is easy for a Bad Guy to get hundreds of passwords within only a few days of an unnoticed program. Indeed the classical (and worst) way to catch these sniffers is noticing diminishing disk space from the sheer volume of passwords grabbed.

For this reason it is important to regularly check to make sure your ethernet card has not been put in promiscuous mode. Incidentally, this if someone has put your card in promiscuous mode, your machine has had a root compromise. So often a simple cron job can give you early warning of any problems. Now it is possible that a hacker may remove your cronjob, and a good one will. However a suprising number of cases can be caught by running a promiscuous mode detection program.

We recommend ifstatus2.1. The nice thing about ifstatus is it will walk the device list and manually check ethernet cards for promiscuous mode. (If you don't know why this is a good thing, the reason is Solaris doesn't keep track of cards in promiscuous mode..you have to query them directly. Not an easy thing sometimes.)

Ifstatus is available in source and binary form for most operating systems. Make sure you test your ifstatus to verify it identifies correctly when your host is in promiscuous mode.

Related Items:

• -=[ A short overview of I
• Adware And Ad-aware.
• Basic Guest Book Hacking
• Beginers Guide to hosting deta
• Comparing Day Job Killer & Bea