Subject: Re: Detecting Sniffing?
To: None <mycroft@gnu.ai.mit.edu>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
List: current-users
Date: 01/13/1995 12:33:56
>> emit a packet addressed to an Ethernet address not in use on that
>> segment, but with the suspect machine's IP address in the IP
>> to-address field.  [...]

> Nope.  I quote:

> 		if ((ifp->if_flags & IFF_PROMISC) &&
> 		    (eh->ether_dhost[0] & 1) == 0 && /* !mcast and !bcast */
> 		    bcmp(eh->ether_dhost, sc->sc_arpcom.ac_enaddr,
> 			    sizeof(eh->ether_dhost)) != 0) {
> 			m_freem(m);
> 			return;
> 		}

> Doing otherwise would be a *significant* performance hit.

When I first read this, my reaction was:

	It also means that "promiscuous mode" isn't.  The whole *point*
	of promiscuous mode is that you pick up everything!

Then I went and investigated, and thought about it.  For the benefit of
those who don't want to grep their entire source trees for it, this
code (or something like it) occurs in the various ethernet drivers.
What mycroft didn't say is that it occurs in a context like

#if NBPFILTER > 0
	if (...there's a bpf filter attached...) {
		bpf_tap(...); /* let bpf see the packet */
		...above snippet of code...
	}
#endif

so that it does not impair promiscuity as far as bpf goes, but does
mean my idea won't work.  Further reflection indicates that every
system with any form of Ethernet spying must do something similar, or
whenever the interface goes promiscuous, ip_input will be trying to
forward all the packets it's receiving for other hosts, leading to
large quantities of doubled traffic.  (Assuming ipforwarding is
enabled, which is certainly the case on many such systems.)

Sorry for suggesting something without actually trying it, especially
when I could have deduced it wouldn't work without even needing to try
it....

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu