Ethereal is only reporting tha packets that are received, that is
true, but if you run
it in Promisc mode, then you change how the NIC works, the MAC
filter is disabled.
A NIC that is in promisc mode is easy to spot. Very easy.
One of many many ways to spot such a NIC is trying to ping your host but sending
the ping to a dummy/fake MAC address.
If your NIC is in promisc mode it will be passed through the NIC and
your network stack will respond to the ping.
Many other techniques also exist.
So your instructor is correct, it is easy to detect if you run a
sniffer (IF your sniffer enables promisc mode).
If you make sure to NOT enable promisc mode it can not be detected.
It is possible, using very old NICs where you use a DIX connector and
an external tranceiver to make a receive-only NIC by modifying the
hardware and such a NIC can generally not be detected even when in
promisc mode, but that requires hardware modifications and would be
sort of pointless anyway in a switched network.
----- Original Message -----
From: Dale Blake JonesWaddell
Date: Fri, 27 Aug 2004 06:49:19 -0400
Subject: [Ethereal-users] What does it mean to "Capture" packets
To: ethereal-users@xxxxxxxxxxxx
We are having a debate in a networking class about Ehtereal. Our
campus is part of a larger Governmental WAN. We installed Ethereal on
several computers to show people what goes when two computers
communicate. The instructor warned us about unauthorized activity on
the network and that any "packet sniffing" would be seen by the people
who monitor the network.
I did not tell him he was stupid, although I want to every day, but it
is my understanding that Ethereal is only reporting the packets that
the NIC and TCP/IP is picking up anyway. And that Ethereal is not
doing anything "ON" or "TO" the rest of the network.
So what really is happening?
Thank you,
Dale
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
