This depends with your sniffing implementation. For example, Win2k sniffed through RawSocket, the green realm firewall can see your sniffing process created a Rawsocket, if the underlying driver is used, such as WinPCAP, or other sniffing mode, The general firewall cannot find because they are concerned about the operation of the socket layer, such as listening port, connection status, etc. However, the firewall may detect your network card in a mixed mode.
Probates if the network card of this unit is in a mixed mode, it is easy to implement. However, if the network card of other machines on the network is in a mixed mode, it seems difficult to implement. I saw an article of sniffing and anti-sniffing techniques on the Internet, making a think: modify the target MAC address of the frame. Net cards for non-mixed modes do not receive this wrong frame, and the NIC card will receive. The rest of the frames are correct and can decode correctly. Then determine whether the interface is in a mixed mode by detecting whether the target interface responds to the packet.
This idea is very interesting, but I tested it, the result: whether it is a mixed mode, the target interface does not respond to this modified target Mac packet.
It seems that this practice is not available! I think it may be that the NIC driver performs the MAC address check when decoding the Ethernet frame.
At this point, there is no way to solve: Whether the interface on the network is in a mixed mode. I don't know what to do.
E-mail: fengzhou8828@sina.com
QQ: 64213380
TO Fengzhou8828:
You refer to the ARP REQUEST datagram that is used to send a pseudo broadcast address (FF: FF: FF: FF: FF: FE) to detect the NIC in the mixed mode? Yes, but even there is a false statement.
Broadcast address All interfaces can be received, which cannot determine if a network card is a mixed mode!
I am talking about changing the target Mac into a non-existing address, while others are correct. It is a pity that this method is not used!
Normal broadcast addresses are (ff: ff: ff: ff: ff: ff), all network cards will respond, but use (ff: ff: ff: ff: ff: fe), non-mixed mode network cards do not respond
The sniffing WIN2000 system will respond to the 16-bit vowetry address (FF: FF: 00: 00: 00: 00; "And Win95 / 98 / ME in the sniff will respond to 8-bit countercast address (FF : 00: 00: 00: 00: 00), and * NIX system is different for the reactions made by various broadcast addresses, but basically in 31 bits (ff: ff: ff: ff: ff: fe) will respond .
