1. Detection of Promiscuous nodes Using Arp Packets By Engin Arslan

2. Introduction Threats in local networks Packet sniffing can lead to access private, confidential data Use Arp packets to identify sniffers

3. Principle of Sniffing Local networks are composed of Ethernet. Messages sent through local networks are expected to reach right person

4. Principle of Sniffing Network Interface Card manages to decide receive or drop packet ▫If own interface is destination then receive, drop otherwise Set NIC to Prosmicious Mode to receive all packet regardless of destionation Sniffer

6. Hardware Filter NIC basically can set up for 4 filters 1.Unicast: Receive packets destined to same address 2.Broadcast: Receive all broadcast packets 3.All multicast: Receive multicast packets 4.Promiscuous: Receive all packet on the network without checking destination

7. Arp Mechanism Used to convert IP address & hardware address Who is 192.1.10.15 I am 192.1.10.15 with hw add 00.00.00.00.00.0 1

8. ARP Packet Detection&Response There are two kinds of filtering 1.Hardware Filter: ARP packet is received if destination address of ARP is valid 2.Software Filter: Requested IP address is same as host address

10. Software Filter in Linux

12. Detection of Promiscuous Mode  Prepare ARP packet with following properties Destination of ARP packet is targeted PC FF.FF.FF.FF.FF.FE

13.  Send this packet to network  This packet is supposed to be blocked by hardware filter of target machine. If target machine reply ARP request, then it is in Promiscuous mode

14. QUESTIONS