[plug] Monitoring IP

Matt Kemner zombie at wasp.net.au
Thu Jan 4 11:47:58 WST 2001


On Thu, 4 Jan 2001, Bernard Blackham wrote:

> Having no experience working with routers myself, my suggestion is purely
> theoretical. If your network isn't switched, but rather just running on a
> hub, then could a linux machine have it's network card placed in
> promiscuous and watch all traffic on the network,

Yes that works just fine
In fact, that's the best way to tell a hub from a switch if you can't work
it out from looking at it, or you are not physically on site - ping one
host from another and see if you can watch it on a third host in tcpdump.

> then filter stuff going to and from the router? 

You can't filter the traffic, only watch it.

Although there is at least one "firewall" program for 'doze that you can
do some form of packet filtering with in this sort of scenario - it sends
out forged "destination port unreachable" and/or FIN packets in order to
break connections you want it to filter.  Haven't seen something similar
for Linux though, probably because it's a real dodgy hack and won't
improve your security much (or at all) and the only use for it would be to
implement policy (eg prevent your staff from accessing certain websites)
 
 - Matt




More information about the plug mailing list