NIC in promiscuous mode - what traffic can it see?
-
What kind traffic would a NIC in promiscuous mode see on the network?
I thought a switch would only send traffic to each port that contains either
- LAN broadcast traffic, like arp requests
- traffic that is for a mac address that the switch has learned resides on that port.
Are there anything else?
I've read it could be a security issue but I can't see why it would be serious.
-
@Pete-S If I'm not mistaken, what you've described is expected behaviour for a typically configured switchport and NIC.... If a NIC were configured in promiscuous mode on a hub (ick) I would expect it to see all traffic on the hub... not sure if this is along the lines of what you're looking for but it's the only gotcha I can think of based on your query... mind you the 3yo woke me up to watch Paw Patrol at some ungodly hour this morning so I might not be the sharpest at the moment
-
Typically you only want a NIC in promiscuous mode if it's sniffing traffic on a network tap.
NICs in Promiscuous mode can be used for doing ARP poisoning (making a switch forget which port a device is on and making it broadcast to all ports) or DHCP spoofing.
At my last job, I actually had a kid do this from one building and had all of the traffic on the student VLAN coming through his laptop so he could use FireSheep and steal people's Facebook cookies & credentials, so yeah it can be a security issue.
-
@dafyre said in NIC in promiscuous mode - what traffic can it see?:
Typically you only want a NIC in promiscuous mode if it's sniffing traffic on a network tap.
NICs in Promiscuous mode can be used for doing ARP poisoning (making a switch forget which port a device is on and making it broadcast to all ports) or DHCP spoofing.
At my last job, I actually had a kid do this from one building and had all of the traffic on the student VLAN coming through his laptop so he could use FireSheep and steal people's Facebook cookies & credentials, so yeah it can be a security issue.
How did you find out about that? Did you have an IDS?
-
@dafyre said in NIC in promiscuous mode - what traffic can it see?:
Typically you only want a NIC in promiscuous mode if it's sniffing traffic on a network tap.
NICs in Promiscuous mode can be used for doing ARP poisoning (making a switch forget which port a device is on and making it broadcast to all ports) or DHCP spoofing.
I've also noticed that if you have floating virtual IPs, for instance for some kind of failover, NICs also have to be in promiscuous mode.
I looked up ARP poisoning and the other things you mentioned. From a security point of view I understand how that could become a big problem.
-
@Pete-S said in NIC in promiscuous mode - what traffic can it see?:
@dafyre said in NIC in promiscuous mode - what traffic can it see?:
Typically you only want a NIC in promiscuous mode if it's sniffing traffic on a network tap.
NICs in Promiscuous mode can be used for doing ARP poisoning (making a switch forget which port a device is on and making it broadcast to all ports) or DHCP spoofing.
At my last job, I actually had a kid do this from one building and had all of the traffic on the student VLAN coming through his laptop so he could use FireSheep and steal people's Facebook cookies & credentials, so yeah it can be a security issue.
How did you find out about that? Did you have an IDS?
Yeah, lol. That and I saw an abnormally large amount of traffic going through one access point in that building. There were some options I had to enable in our HP switches that prevented that from working... I'd have to ask my buddy who is still there what they are, though.
-
You can get a switch to give you all traffic on a mirrored port on the switch. This would allow you to see all the traffic on that other port. normally you would mirror the uplink port.
-
@Dashrender said in NIC in promiscuous mode - what traffic can it see?:
You can get a switch to give you all traffic on a mirrored port on the switch. This would allow you to see all the traffic on that other port. normally you would mirror the uplink port.
Yepp. That's typically where you'd put your IDS if you didn't have requirements that it be an in-line.