2

Is it must for a packet sniffer to enable promiscuous mode?Can packets be sniffed without the NIC being in promiscuous mode? Also when in promiscuous mode the NIC accepts all packets which are not addressed to it's MAC address.Does it also mean that it responds to all packets(it receives) that require a response? E.g : will it respond to all ARP requests(broadcast packets) not meant for it's MAC?Will it respond to all ICMP echo messages?

faraz khan
  • 329
  • 2
  • 12

2 Answers2

2

Is it must for a packet sniffer to enable promiscuous mode?Can packets be sniffed without the NIC being in promiscuous mode?

No it is not a must and sniffing can be done in non-promiscuous too.

Also when in promiscuous mode the NIC accepts all packets which are not addressed to it's MAC address.Does it also mean that it responds to all packets(it receives) that require a response? E.g : will it respond to all ARP requests(broadcast packets) not meant for it's MAC?Will it respond to all ICMP echo messages?

Sniffing can be done in non-promiscuous mode too. But it really depends what traffic you want to sniff. If you want to sniff the traffic that is not intended to your NIC address then use promiscuous mode. On other hand in non-promiscuous mode, your NIC will drop/ignore the packet that it not intended to its address. Your machine will by default respond to all the braodcasts and multicasts(if your machine is in the same multicast group). By the way broadcast frames in general has destination MAC address of FF:FF:FF:FF:FF:FF. Thats the reason why every device will receive that packet.

In case of ARP, only that particular machine will respond who has that particular IP address for which the ARP query is being made! If I make an ARP probe for 10.0.0.1, then my ARP probe/packet will contain this information and the ARP probe will be broadcasted. So every machine on the same broadcast domain receives the ARP probe/packet but the machine with the 10.0.0.1 IP will only reply to this ARP probe. Others will drop it.

For TCP/IP I would recommend TCP/IP Illustrated, Volume 1: The Protocols, 2nd Edition By Kevin R. Fall, W. Richard Stevens I had it in my bachelors and it is a great book and will clear all the concepts. I would like to recommend it.

ρss
  • 344
  • 2
  • 8
1

Simply put, if not in promiscuous mode, NIC will drop any L2 traffic that is not intended for it. Any and all traffic that is neither directly addressed to the NIC nor a {broad,multi}cast will be dropped before it reaches the OS assuming the NIC behaves normally.

cptMikky
  • 455
  • 2
  • 5
  • But when I change network adapters mac adress from OS, how NIC know this without communicating with the OS? – Batuhan Jun 03 '15 at 14:29
  • @Batuhan I don't believe anything changes in the fimrware of the NIC when you do that -- I believe that's a setting used by the OS driver. You can spoof the MAC address of a NIC, move the NIC into a different computer, and the new computer will see it with its old MAC since it's burned into the chip of the card. – armani Jun 03 '15 at 15:06
  • Promisc mode has nothing to do nor have any impact on NIC's MAC address. – cptMikky Jun 03 '15 at 15:38
  • @armani Yes I think the same but if the NIC drops the package on L2 and changing the mac address have don't any impact on the NIC, when we change our mac adress via OS we shouldn't be able to receive packages. I'm a bit loss here :/ – Batuhan Jun 03 '15 at 17:47
  • 1
    @Batuhan I think you're confusing the control the driver has with the awareness the NIC has. The NIC is a peripheral... even though it has a microchip on it, it does not really think for itself on that level. The OS driver does the actual checking of the Layer 2 address. – armani Jun 03 '15 at 21:26
  • The MAC address is what NIC responds to on L2. It is usually stored onboard the NIC in a ROM memory. The NIC is, however, progammable to some extent. Don't take this for granted, I'm not a HW design expert but to my understaning the ROM on a NIC holds only some "default" configuration data which is loaded by the firmware upon power up. This settings can then can be modified in runtime - usually from the host OS. One of these values is MAC address. NIC programming best example would be a WLAN where the firmware is flashed by the OS on each boot and is not stored on board at all. – cptMikky Jun 04 '15 at 07:27