I have read that we can detect whether a system is running promiscuous mode by sending out an ARP request with a fake broadcast address e.g FF:FF:FF:FF:FF:FE.This will be blocked by all NIC's operating in normal mode but will be allowed by NIC operating in promiscuous mode and thus it will respond to the message.But I am a bit confused:
1.Won't the system in promiscuous mode respond to the ARP request only if it's IP matches the IP in the target(destination) field of the ARP request packet.
2.If we were to go by the above logic then all the systems will respond to an ARP(broadcast)request packet since it would pass through the Hardware filter(NIC).
3.Suppose only that system in promiscuous mode responds to the fake broadcast ARP packet which has the same IP as that in the ARP (request) packet destination field,then how do we find all systems(on that subnet) operating in promiscuous mode,without targeting a particular IP.
Thanks