[TriLUG] Promiscuous mode on open network (nc.rr.com)?
Mike Johnson
mike at enoch.org
Tue Jul 1 11:22:08 EDT 2003
lfwelty [lfwelty at nc.rr.com] wrote:
> Hi all,
>
> I'm setting up ntop and snort to watch what's coming at (and
> through) my firewall. Their are options to run without enabling
> promiscuous mode on the monitored NIC, but it would be interesting
> to see what's floating by.
Eh, it's not really all that interesting. You'll see arp requests and
bootp request. DOCSIS takes care of making sure you only see what
you're supposed to see. I think you'll see all that broadcase traffic
even if you aren't in promisc mode.
> Has anyone done this on their isp's net?
> Or nc.rr.com in particular?
Yes and yes.
> Did you have any problems?
No.
> Has anyone's isp scanned for nic's in promiscuous mode?
Um, this is really hard to do. But then again, I got it written into my
contract that I'm allowed (so I can do exactly what you're talking
about). However, I'm on a commercial account.
Frankly, DOCSIS prevents you from seeing what you shouldn't. It's
stupid for an ISP to get pissed if you're running an IDS. Unless, of
course, they're going to run an IDS for me. No? I didn't think so.
Mike
--
"If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH
YOUR LASER CANNONS!" -- Brak
GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030701/d94f5c0b/attachment.pgp>
More information about the TriLUG
mailing list