[Snort-devel] Promiscious detection

Johan Samuelson adamant at ...272...
Wed Feb 14 03:12:14 EST 2001


> As far as i remember, this was only supposed to work on old linux kernels
which
> had a bug related to promisc. mode
> but when bind did more testing he found that newer linux kernels and some
> other operating systems were still misbehaving in regards to promisc mode.
> So you might wanna test that arp test on your machine before drawing any
> conclusions

Yes, but still I think printing the hardware address associated with ARP
requests/replies could be interesting in other cases as well. I don't see
the
point in limiting the -e switch to only dumping hardware addresses on IP
datagrams, save for creating a compacter output that is.

// Johan






More information about the Snort-devel mailing list