Results 1 to 3 of 3

Thread: Two questions about Snort (promiscuous mode)

  1. #1
    Junior Member
    Join Date
    Jul 2001
    Posts
    2

    Two questions about Snort (promiscuous mode)

    I have been trying to learn more about packet sniffing. I realize that I can not sniff packets sent from one computer to another but from what I have read I believe that I can sniff all the packets on my network if my NIC is set to promiscuous mode. I have looked for information telling me how to do that but all I could find was a page that said I would have to write or download promiscous drivers for my particular NIC. Is that true?

    Also it seems to me that Sniffing can not be done from a dial up, is that the case? If so, is it possible with DSL or cable? Last of all is it illegal to sniff a network out side your own. For instance a cable or DSL network?

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    While the act of packet sniffing isn't neccessarily illegal, it is typically used for illegal purposes.

    It can only be done withing a network. I can't sniff packets from Microsoft from my network, I can only sniff packets on my network. Then from where my computer is, I can only sniff packets on my vlan, and then smaller, only on the hub I am connected to (ok, so this is where I get shakey, and I am sure that someone will aid my explanation).

    On a modem, I don't think it would be possible. DSL, I have no clue about. Cable, you would be able to get packets from people that are on the same "network" as you, meaning probably only the people on your street that subscribe to the same provider as you.

    To get packets from a network other than yours you would have to break into a computer on their network, and make one of their computers sniff. That IS illegal.

    The best place to sniff for packets is at the "entrance" to a network, before it gets broken up into different segments, I know we have one set up there, with a program called Etherpeak to monitor bandwidth usage, and to see "what is going on" with our network, this is one of those cases where packet sniffing is useful tool, and legal.

    Typically admins get suspicious if they see a NIC set to promiscous mode, when a NIC is set to promiscous mode, it grabs all the packets that are being sent from other machines, ALL. A lot of bandwidth gets comes to you, my one experience using a packet sniffer choked my computer.

    I don't feel that I am really conveying all that I am trying to say. But, to understand how packets sniffing works, you have to understand the way that information travels through the "ether" and how networks are set-up.

    But, I am tired, I am not thinking correctly, and quite frankly, I just don't give a damn (if one more thing goes wrong this week, I might have to do someting rash).

    dhej

    /*edited for spelling(Like I said this isn't my week)*/

  3. #3
    Junior Member
    Join Date
    Jul 2001
    Posts
    2
    Typically admins get suspicious if they see a NIC set to promiscous mode, when a NIC is set to promiscous mode, it grabs all the packets that are being sent from other machines, ALL. A lot of bandwidth gets comes to you, my one experience using a packet sniffer choked my computer.
    It is a small computer lab (3 computers) of which I am the Admin. What suprised me the most about my tests were that when I started viewing logs I could pull (plain text) user names and passwords like the ones used for this forum along with the HTTP info.

    So this gets me to thinking that any admin from any network could possibly read any text based messages from any of the users on the network. So I go to another computer and send an email with a few keywords that I can search the logs for later. I couldn't find it so I am guesing that is because email client may package the data differently then HTTP packets.

    Although I still not sure of that, I did one more experiment I posted to a message board using computer number two and then went back to the computer with the sniffer running to check for words in the message I posted. I couldn't find them so I started RTFM and find that the NIC has to be in promiscous mode.

    The best place to sniff for packets is at the "entrance" to a network, before it gets broken up into different segments, I know we have one set up there, with a program called Etherpeak to monitor bandwidth usage, and to see "what is going on" with our network, this is one of those cases where packet sniffing is useful tool, and legal.
    OK I understand that and will have to change a few things in my lab to achieve that. But I am still curious about setting a NIC on a remote machine in the same network to promiscous mode to scan other traffic. Any ideas?

    Thanks for the information!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •