Re: How to disable the promiscuous mode of network adaptor

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"fongfong" <fongfong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:ECF3E95E-FAF4-43A2-9D4D-671DE7AB342D@xxxxxxxxxxxxxxxx


"Thomas F. Divine [DDK MVP]" wrote:


"fongfong" <fongfong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EA605B63-A52E-4FAC-B249-27A6C15E751C@xxxxxxxxxxxxxxxx
> Hello buddies,
> Is there any method to disable the promiscuous mode of the network > adaptor
> under Windows? Some kind of monitoring software, as sniffer, will set > the
> adaptor into promiscuous mode to sniff something, how to disable this
> priority of the network adaptor? Thanks.

No way that I know of to disable this facility effectively.

Thomas F. Divine, Windows DDK MVP
http://www.pcausa.com


Thomas,
Thanks for you reply, seems the answer is determinate, :-). But I have more
concern on one point, actually APIs provided to application to set the
promiscuous mode active will finally be executed by OS kernel (specificly,
the device driver), so if the driver does not set the promiscuous mode to
network adaptor although application request to do, the network adaptor will
not be set in promiscuous. Am I right?

Indirectly you are right.

Only a device driver, such as a NDIS protocol driver, can actually call NDIS to make the adapter enter promiscuous mode.

Your problem is that there is no standard interface between user-mode applications and their companion NDIS component. For example, the DDK NDISPROT sample illustrates one possible IOCTL API that could be used to set promiscuous mode. The PCAUSA Rawether product (http://www.rawether.net) uses its own proprietary IOCTL API, WinPCap yet another and so on.

IOW, there is no system API to hook. Only a variety of proprietary IOCTL interfaces with nothing in common. I don't think there is a practical way for you to find them all (or find those not yet invented) and block them.

Of course, you could add a NDIS intermediate filter driver of your own that would block the attempt to set promiscuous mode, but there is no guarantee that your filter would not have yet another filter below it that could make changes you are not aware of.

Good luck,

Thomas F. Divine

.

Relevant Pages

  • Re: How to disable the promiscuous mode of network adaptor
    ... Is there any method to disable the promiscuous mode of the network ... adaptor into promiscuous mode to sniff something, ... the device driver), so if the driver does not set the promiscuous mode to ...
    (microsoft.public.development.device.drivers)
  • Re: eth0 promiscuous mode
    ... > when ever i get that my Network becomes inavtive. ... hardware in promiscuous mode to reconnect. ... eth0: ...
    (Fedora)
  • Re: Firewall and IDS, (the second way).
    ... There is another way of detecting an interface in promiscuous mode.. ... The basic idea is to spoof the destination mac address of the ip your ... > the network in question. ...
    (Vuln-Dev)
  • Re: How to intercept traffic on different OSs?
    ... No, you can catch with LSP only winsock data and not all network data, like ... > Putting socket in promiscuous mode differs from what I have ... >> to capture the packets, but it can't be used to drop them. ... >> an intermediate driver. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Realtek RTL 8139C and Linux Kernel 2.4.22.
    ... >>2.2 kernel. ... ppp0 Link encap:Point-to-Point Protocol ... 66:eth1: 8139too Fast Ethernet driver 0.9.18-pre4 Jeff Garzik ... 82-device ppp0 entered promiscuous mode ...
    (Debian-User)