Re: Finding a machine which is sniffing on the network (fwd)

Matei Conovici (cmatei@lbi.ro)
Sun, 26 Oct 1997 11:42:35 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Eugene Crosser: "Re: Networking & atomic allocations in kernel [patch] -- helps!"
Previous message: Harvey J. Stein: "A program that consistently crashes linux/axp."

> Linux, at least in the versions I've expirimented with, will not ignore IP
> packets addressed to a local interface that are encapsulated in Ethernet
> frames that are not addressed to a local interface. That is to say, if
> ether0 on a Linux box is address 10.10.10.1, and the MAC address for the
> interface is AA.BB.CC.AA.BB.CC, it will respond to an ICMP packet sent to
> 10.10.10.1 encapsulated in an Ethernet frame addressed to
> 0D.EA.DB.EE.F0.

Even more, it seems to me that linux also forwards those packets if
forwarding is enabled. I see packets resent from a linux machine which
acts as a router on my network.

While it seems ok to me to answer to packets destined for his own ip
address but with wrong mac address (this way I can find out if the guy
has the interface in promiscuous mode :) it doesn't seem good to also
forward all received packets.

> We cite Linux explicitly because it appears the Linux ethernet drivers do
> not back-check frame MAC addresses on received frames, but rather assume
> them to be destined to the machine.

Matei

Next message: Eugene Crosser: "Re: Networking & atomic allocations in kernel [patch] -- helps!"
Previous message: Harvey J. Stein: "A program that consistently crashes linux/axp."