Friday, January 1, 2010

Promiscuous or non-promiscuous

A previous blog entry talked about protocol analyzers. When using protocol analyzers you should be aware of the two modes of a protocol analyzer. They are promiscuous and non-promiscuous.

  • Non-promiscuous. In non-promiscuous mode, the protocol analyzer can only capture traffic addressed to the system (including broadcasts), or coming from the system.  In other words, it can't capture unicast traffic between two other hosts.
  • Promiscuous. In pomiscuous mode, the protocol analyzer can capture any and all traffic that reaches it's NIC.  Attackers would use a protocol analyzer in promiscuous mode.
Wireshark is a protocol analyzer that you can download for free and will work in both promiscuous mode and non-promiscuous mode.

As a side note, you should know that when a protocol analyzer is operating in promiscuous mode, it gives telltale signs on the network. Don't just start running it on a live network without permissions.

I remember teaching a Security+ class at a college once. One of the students was in the Army and had admnistrative privileges on his system.  The next day he downloaded Wireshark, installed it, and began sniffing the network.  Within about 15 minutes security administrators were at his desk looking over his shoulder asking what he was doing.  Thankfully, you can't get fired from the Army very easily but the same may not be true at your job. 

Good luck in your studies.

Darril Gibson