-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Detecting promiscuous sniffers with masscan
Robert David Graham edited this page Oct 23, 2013
·
1 revision
Is somebody on the local Ethernet eavesdropping on network traffic? There is a simple way you can tell with masscan.
Let's say that your current IP address is 192.168.1.103, and you want to test if anybody is sniffing traffic. You'd run the following command:
masscan 192.168.1.0/24 --ping --dst-mac aa:aa:aa:aa:aa:aa
If you see any responses, then it means their network interface is in promiscuous mode.
What the --dst-mac
parameter does here is overwrite the destination MAC address to the bogus value of aa:aa:aa:aa:aa:aa
. This is an invalid MAC address, so no machine can receive the ping packets -- unless they are in promiscuous mode.