BTW I think you might be able to detect promiscous mode with a raw socket (at least on non-switched ethernet). If I send a ping packet to 192.168.1.42 using the wrong ethernet address then a response implies promiscous mode because otherwise the interface would have dropped the packet.
I have not investigated but think the kernel but think it would reliably respond and 99.99% of attackers would not realised they had been exposed.
Assuming that the promiscuous machine has arp spoofed that mac address, so that the switch will pass the packet down that port.
-- Geoff Crompton Debian System Administrator Strategic Data +61 3 9340 9000
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
