1 May 2009

solaris stealth sniffing

A network interface that is sniffing the network is in promiscuous mode: it accepts packets that are not destined for its ethernet address.
You can try to detect a promiscuous interface by tricking it into replying to a packet that is not sent to its ethernet address (e.g. a malformed packet).

In Solaris you can make all such attempts fail by bringing the interface down.

# ifconfig bge0 down
# snoop -d bge0

Still you can sniff on that interface!