Promiscuous mode
Encyclopedia
In computer networking
, promiscuous mode or promisc mode is a mode for a network interface controller (NIC) that causes the NIC to pass all traffic it receives to the central processing unit
(CPU) rather than just passing frames the NIC is intended to receive. This mode is normally used for packet sniffing and bridged networking for hardware virtualization
.
In IEEE 802
networks such as Ethernet
, token ring, and Wi-Fi
, and in FDDI
, each frame includes a destination Media Access Control
address (MAC address). In non-promiscuous mode, when a NIC receives a frame, it normally drops it unless the frame is addressed to that NIC's MAC address or is a broadcast or multicast
frame. In promiscuous mode, however, the card allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.
Many operating system
s require superuser
privileges to enable promiscuous mode. A non-routing node
in promiscuous mode can generally only monitor traffic to and from other nodes within the same broadcast domain
(for Ethernet
and Wi-Fi
) or ring (for token ring or FDDI
). Computers attached to the same network hub satisfy this requirement, which is why network switch
es are used to combat malicious use of promiscuous mode. A router may monitor all traffic that it routes.
Promiscuous mode is often used to diagnose network connectivity issues. There are programs that make use of this feature to show the user all the data being transferred over the network. Some protocols like FTP
and Telnet
transfer data and passwords in clear text, without encryption, and network scanners can see this data. Therefore, computer users are encouraged to stay away from insecure protocols like telnet and use more secure ones such as SSH
.
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, promiscuous mode or promisc mode is a mode for a network interface controller (NIC) that causes the NIC to pass all traffic it receives to the central processing unit
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
(CPU) rather than just passing frames the NIC is intended to receive. This mode is normally used for packet sniffing and bridged networking for hardware virtualization
Hardware virtualization
Computer hardware virtualization is the virtualization of computers or operating systems. It hides the physical characteristics of a computing platform from users, instead showing another abstract computing platform...
.
In IEEE 802
IEEE 802
IEEE 802 refers to a family of IEEE standards dealing with local area networks and metropolitan area networks.More specifically, the IEEE 802 standards are restricted to networks carrying variable-size packets. IEEE 802 refers to a family of IEEE standards dealing with local area networks and...
networks such as Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
, token ring, and Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
, and in FDDI
Fiber distributed data interface
Fiber Distributed Data Interface provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to . Although FDDI logical topology is a ring-based token network, it does not use the IEEE 802.5 token ring protocol as its basis; instead, its...
, each frame includes a destination Media Access Control
Media Access Control
The media access control data communication protocol sub-layer, also known as the medium access control, is a sublayer of the data link layer specified in the seven-layer OSI model , and in the four-layer TCP/IP model...
address (MAC address). In non-promiscuous mode, when a NIC receives a frame, it normally drops it unless the frame is addressed to that NIC's MAC address or is a broadcast or multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
frame. In promiscuous mode, however, the card allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.
Many operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s require superuser
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
privileges to enable promiscuous mode. A non-routing node
Node (networking)
In communication networks, a node is a connection point, either a redistribution point or a communication endpoint . The definition of a node depends on the network and protocol layer referred to...
in promiscuous mode can generally only monitor traffic to and from other nodes within the same broadcast domain
Broadcast domain
A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments....
(for Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
and Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
) or ring (for token ring or FDDI
Fiber distributed data interface
Fiber Distributed Data Interface provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to . Although FDDI logical topology is a ring-based token network, it does not use the IEEE 802.5 token ring protocol as its basis; instead, its...
). Computers attached to the same network hub satisfy this requirement, which is why network switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
es are used to combat malicious use of promiscuous mode. A router may monitor all traffic that it routes.
Promiscuous mode is often used to diagnose network connectivity issues. There are programs that make use of this feature to show the user all the data being transferred over the network. Some protocols like FTP
File Transfer Protocol
File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
and Telnet
TELNET
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...
transfer data and passwords in clear text, without encryption, and network scanners can see this data. Therefore, computer users are encouraged to stay away from insecure protocols like telnet and use more secure ones such as SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
.
Detection
As promiscuous mode can be used in a malicious way to sniff on a network, one might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this (e.g., using carefully designed firewall settings). An example is sending a ping (ICMP echo request) with the wrong MAC address but the right IP address. If your firewall blocks all ICMP traffic, this will be prevented.Some applications that use promiscuous mode
- NetScout Sniffer
- OmniPeekOmniPeekOmniPeek is a packet analyzer software tool from WildPackets Inc.. It is used for network troubleshooting and protocol analysis. It supports a plugin API.- History :...
- CapsaCapsaCapsa is the name for a family of packet analyzer developed by Colasoft for network administrators to monitor, troubleshoot and analysis wired & wireless networks...
for WiFi - Aircrack-ngAircrack-ngAircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g...
- KisMACKisMACKisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar to those of Kismet...
(used for WLANWireless LANA wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
) - AirSnortAirSnortAirSnort is a Linux and Microsoft Windows utility for decrypting WEP encryption on an 802.11b network. Distributed under the GNU General Public License, AirSnort is free software. It is no longer maintained or supported.-External links:***...
(used for WLANWireless LANA wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
) - WiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
(formerly Ethereal) - tcpdumpTcpdumptcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
- IPTraf
- PRTGPaessler Router Traffic GrapherPaessler Router Traffic Grapher is a network monitoring and bandwidth usage software for Microsoft Windows by Paessler AG. It can monitor and classify bandwidth usage in a network using SNMP, Packet Sniffing and Netflow...
- Kismet
- VMwareVMwareVMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
's VMnet Bridging (networking)Bridging (networking)Bridging is a forwarding technique used in packet-switched computer networks. Unlike routing, bridging makes no assumptions about where in a network a particular address is located. Instead, it depends on flooding and examination of source addresses in received packet headers to locate unknown... - Cain and Abel
- Driftnet Software
- Microsoft Windows Network Bridge
- XLink KaiXLink KaiXLink Kai is a method developed by Team-XLink for online play of certain compatible console games.It enables players on the Xbox 360, Xbox, Playstation 3, PlayStation 2, PlayStation Portable and Nintendo GameCube to play games across the Internet using a network configuration that simulates a...
- WC3Banlist
- SnortSnort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
- ntopNtopntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a web server, creating a HTML dump of the network status...
- FiresheepFiresheepFiresheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities...
- VirtualBoxVirtualBoxOracle VM VirtualBox is an x86 virtualization software package, originally created by software company Innotek GmbH, purchased by Sun Microsystems, and now developed by Oracle Corporation as part of its family of virtualization products...
(bridge networking mode) - CommView for WiFi
- AccessData SilentRunner