The Promiscuous-mode scanner allows you to identify sniffers and network Intrusion Detection systems present on the LAN. It implements the recognition method explained in the paper "Promiscuous node detection using ARP packets" by Daiji Sanai at The Black Hat Briefings 2001. This feature is included in the MAC Scanner and relies on responses received from various tests based on ARP packets.

 

 

It is possible to select the test to perform from the MAC Scanner dialog; positive results are reported into the "Hosts" list with an * in the relative column.

Be warned that not all operating systems respond in the same way; an example of the results from a Windows machine follows:

Network card not in promiscuous-mode (not sniffing)

Network card into promiscuous-mode (sniffing)

 

As you can see Windows machines, that are not sniffing the network, normally respond to ARP Test (Broadcast 16-bit) and ARP Test (Multicast group1) only. On the contrary when a sniffer is activated, and the network card is put into promiscuous-mode, they start to respond at ARP Test (Broadcast 31-bit) as well.

Prerequisites

The sniffer must be activated.

Limitations

Because of the use of ARP packets, that cannot cross routers or VLANs, this feature works only inside your broadcast domain.

Usage

The promiscuous-mode scanner is activated using the MAC Scanner dialog.