Promiscuous mode
From Free net encyclopedia
Promiscuous mode, in computer related fields, generally refers to the practice of putting a network card into a setting so that it passes all traffic it receives to the CPU rather than just packets addressed to it. Many operating systems require superuser privileges to operate in promiscuous mode. A non-routing node in promiscuous mode can generally only monitor traffic to and from other nodes within the same collision domain (for Ethernet and Wireless LAN) or ring (for Token Ring or FDDI), which is why network switches are used to combat malicious use of promiscuous mode. A router may monitor all traffic that it routes. Promiscuous mode is commonly used to diagnose network connectivity issues. Some programs like Ethereal, tcpdump, PRTG, and AirSnort (for wireless LANs) make use of this feature to show the user all the data being transferred over the network. Some programs like FTP and Telnet transfer data and passwords in clear text, without encryption, and network scanners can see this data. Therefore, computer users are encouraged to stay away from programs like telnet and use more secure ones such as SSH.
Inside each packet is a hardware (MAC) address. When a computer receives a particular packet, it checks the hardware address in it to see if the packet is addressed to it. If not, then the network card drops the packet. When in promiscuous mode, the network card doesn't drop the packet, thereby enabling it to read all packets.
Detection
As promiscuous mode can be used in a malicious way to sniff on a network, one might be interested in detecting network devices that are in promiscuous mode. There are basically two methods to do this:
- If a network device is in promiscuous mode, the kernel will receive all network traffic, i. e. the CPU load will increase. Then the latency of network responses will also increase, which can be detected. Of course, this method is very unreliable as the CPU load could just be higher for another reason.
- In promiscuous mode, some software might send responses to packets even though they were addressed to another machine. If you see such responses, you can be sure that the originating device is in promiscuous mode. However, experienced sniffers can prevent this (e. g. using carefully designed firewall settings). An example is sending a ping (ICMP echo request) with the wrong MAC address but the right IP address. If you firewall all ICMP traffic, this will be prevented.
There exist several tools that try to detect sniffing.