[Snort-users] promiscuous mode in windows

Matt Kettler mkettler at ...4108...
Fri Apr 15 14:02:43 EDT 2005


Mihai Petre wrote:

> Hi guys,
>
> I inherited 2 sensors running snort on win2000.
> The config on each network card show a static ip assigned to each card
> used for sniffing.
>
> I know that in linux I can check the status and start the card in
> promisc mode but what about windows.
>
I don't think windows itself understands the concept, so I don't think
there's a good way to check the status. Perhaps there's a 3rd party utility.

>
> Can I have an ip assigned and promisc mode on the same card ?
>
Yes, you can have both at the same time on the same card. Why wouldn't
you be able to do that?

 Really, promisc mode has nothing to do at all with IP assignment. 
Promisc mode is an ethernet MAC layer setting, and has no relevance at
all to the IP layer. It's not like they are settings that get applied at
the same spot and thus would require any special effort to support both
at the same time.

Some old and now obscure systems have the opposite problem, they refuse
to enable interfaces that don't have an IP, thus you can ONLY do promisc
mode on interfaces with IP's. But that's really just a weird assumption
in the system that any interface without an IP must be useless and
should be shut down.

 I've never heard of a machine that required an interface to have no IP
before it would allow promisc mode. Ever.  (However, if anyone knows of
one, I'd love to hear about it)





More information about the Snort-users mailing list