[Snort-users] Promiscuous mode (again)
erek at ...577...
Tue Sep 18 09:01:04 EDT 2001
On Tue, 18 Sep 2001, snortlst snortlst wrote:
> So according to that it is mandatory to have NIC in promiscuous mode on
> snort machine.....one of the guys send me an answer that it is not
> mandatory..... Can anybody clarify this issue?
No, it's not mandatory. It's just more useful.
> (On the other hand - what's the use of having promiscuous mode if we use
> swithches on the network?)
Here's the basic difference between promisc and non-promisc: Promiscuous mode
will see 'all' packets on the local wire. Non-Promiscuous will only see
packets directed _AT THAT BOX_. Now to define ''all packets'--If it's on a
switch, you'll need to be port mirroring or spanning to see all traffic on the
switch. If you're on a 'True Hub', you'll see all traffic without any effort.
Traffic that is directed 'at that box' means broadcast traffic and traffic
that has a dest. address of the box in question.
As for the use of promisc on a switched net, well... Only useful if your
switch will allow you to span/mirror or has a special monitor port on it.
Does that help, or does it make it even less clear? I hope it helps! :)
More information about the Snort-users