[Snort-users] Promiscuous mode (again)

> So according to that it is mandatory to have NIC in promiscuous mode on
> snort machine.....one of the guys send me an answer that it is not
> mandatory..... Can anybody clarify this issue?

No, it's not mandatory.  It's just more useful.

> (On the other hand - what's the use of having promiscuous mode if we use
> swithches on the network?)

Here's the basic difference between promisc and non-promisc:  Promiscuous mode
will see 'all' packets on the local wire.  Non-Promiscuous will only see
packets directed _AT THAT BOX_.  Now to define ''all packets'--If it's on a
switch, you'll need to be port mirroring or spanning to see all traffic on the
switch.  If you're on a 'True Hub', you'll see all traffic without any effort.
Traffic that is directed 'at that box' means broadcast traffic and traffic
that has a dest. address of the box in question.

As for the use of promisc on a switched net, well...  Only useful if your
switch will allow you to span/mirror or has a special monitor port on it.

Does that help, or does it make it even less clear?  I hope it helps!  :)

