[Snort-devel] Promiscious detection

Martin Roesch roesch at ...48...
Fri Feb 23 00:21:09 EST 2001


I think the -a switch will do what you're looking for.

    -Marty

Johan Samuelson wrote:
> 
> > As far as i remember, this was only supposed to work on old linux kernels
> which
> > had a bug related to promisc. mode
> > but when bind did more testing he found that newer linux kernels and some
> > other operating systems were still misbehaving in regards to promisc mode.
> > So you might wanna test that arp test on your machine before drawing any
> > conclusions
> 
> Yes, but still I think printing the hardware address associated with ARP
> requests/replies could be interesting in other cases as well. I don't see
> the
> point in limiting the -e switch to only dumping hardware addresses on IP
> datagrams, save for creating a compacter output that is.
> 
> // Johan
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list