Re: Determining the presence of wireshark

On March 9, 2010 12:40, in comp.os.linux.networking, (E-Mail Removed) wrote:

> On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
> <(E-Mail Removed)> wrote:
>
>>How to determine the presence of wireshark in a network ?
>
> Look for NIC cards and wireless devices running in promiscuous mode.

Note that this will present false positives if the NICs in question are
running with "user set" MAC addresses.

With "user set" MAC addresses, the NIC cannot use it's builtin comparison
logic to find frames addressed to the NIC. The OS NIC driver logic has to
match the MAC address on /all/ "on the wire" packets to the "user set" MAC
address, and extract those that match. This requires that the NIC run in
promiscuous mode, to permit the driver access to all the network traffic.

--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------

In comp.os.linux.networking Lew Pitcher <(E-Mail Removed)> wrote:

> Note that this will present false positives if the NICs in question
> are running with "user set" MAC addresses.

> With "user set" MAC addresses, the NIC cannot use it's builtin
> comparison logic to find frames addressed to the NIC. The OS NIC
> driver logic has to match the MAC address on /all/ "on the wire"
> packets to the "user set" MAC address, and extract those that
> match. This requires that the NIC run in promiscuous mode, to permit
> the driver access to all the network traffic.

Are there really NICs still common today which cannot put the
user-override MAC address into its filter table(s)?

rick jones
--
The glass is neither half-empty nor half-full. The glass has a leak.
The real question is "Can it be patched?"
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Warning:

Lew Pitcher, who posts to this newsgroup, is a domain thief.

Read the full story at http://www.lewpitcher.ca

On Sun, 21 Mar 2010 07:46:45 +0000, 'rm' trolled:

> Lew Pitcher, who posts to this newsgroup, is a domain thief.

Bullshit. The troll known as "rm" actually posted the above, and is
simply still whining about his failure to renew a domain, even after
repeated warnings, before it was opened up for public availability. He's
a whiny little bitch, clueless about Linux, who just can't get over it.
Pathetic, isn't he?

Ignore and ridicule this sad little loser.


--
"Ubuntu" -- an African word, meaning "Slackware is too hard for me".
"Bother!" said Pooh, as he wiped the vomit from his chin.
Usenet Improvement Project: http://twovoyagers.com/improve-usenet.org/
Thanks, Obama: http://brandybuck.site40.net/pics/politica/thanks.jpg

Dan C <(E-Mail Removed)> trolled:

Warning:

Lew Pitcher, who posts to this newsgroup, is a domain thief.

Read the full story at http://www.lewpitcher.ca

> Bullshit.

?!?

> The troll known as "rm" actually posted the above, and is

You, of all people, are calling somebody else a "troll?"

Sorry, little Dan, but you have zero credibility. You're not even
entertaining and you are in so many killfiles that we are the only
one likely to read you.

Is chasing "rm" around all you can do with your time?

Don't you have anything else to do?

This is old but may help :

http://www.securityfriday.com/promis...tection_01.pdf