Re: How to disable the promiscuous mode of network adaptor

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance



"Thomas F. Divine [DDK MVP]" wrote:


"fongfong" <fongfong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ECF3E95E-FAF4-43A2-9D4D-671DE7AB342D@xxxxxxxxxxxxxxxx


"Thomas F. Divine [DDK MVP]" wrote:


"fongfong" <fongfong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EA605B63-A52E-4FAC-B249-27A6C15E751C@xxxxxxxxxxxxxxxx
Hello buddies,
Is there any method to disable the promiscuous mode of the network
adaptor
under Windows? Some kind of monitoring software, as sniffer, will set
the
adaptor into promiscuous mode to sniff something, how to disable this
priority of the network adaptor? Thanks.

No way that I know of to disable this facility effectively.

Thomas F. Divine, Windows DDK MVP
http://www.pcausa.com


Thomas,
Thanks for you reply, seems the answer is determinate, :-). But I have
more
concern on one point, actually APIs provided to application to set the
promiscuous mode active will finally be executed by OS kernel (specificly,
the device driver), so if the driver does not set the promiscuous mode to
network adaptor although application request to do, the network adaptor
will
not be set in promiscuous. Am I right?

Indirectly you are right.

Only a device driver, such as a NDIS protocol driver, can actually call NDIS
to make the adapter enter promiscuous mode.

Your problem is that there is no standard interface between user-mode
applications and their companion NDIS component. For example, the DDK
NDISPROT sample illustrates one possible IOCTL API that could be used to set
promiscuous mode. The PCAUSA Rawether product (http://www.rawether.net) uses
its own proprietary IOCTL API, WinPCap yet another and so on.

IOW, there is no system API to hook. Only a variety of proprietary IOCTL
interfaces with nothing in common. I don't think there is a practical way
for you to find them all (or find those not yet invented) and block them.

Of course, you could add a NDIS intermediate filter driver of your own that
would block the attempt to set promiscuous mode, but there is no guarantee
that your filter would not have yet another filter below it that could make
changes you are not aware of.

Good luck,

Thomas F. Divine

Thanks a lot, sounds impossible to implement it. I feel frustrated about
this, :(. I will give up the trials on this.
.

Relevant Pages

  • Re: How to disable the promiscuous mode of network adaptor
    ... > Is there any method to disable the promiscuous mode of the network> adaptor ... the device driver), so if the driver does not set the promiscuous mode to ...
    (microsoft.public.development.device.drivers)
  • Re: eth0 promiscuous mode
    ... > when ever i get that my Network becomes inavtive. ... hardware in promiscuous mode to reconnect. ... eth0: ...
    (Fedora)
  • Re: Firewall and IDS, (the second way).
    ... There is another way of detecting an interface in promiscuous mode.. ... The basic idea is to spoof the destination mac address of the ip your ... > the network in question. ...
    (Vuln-Dev)
  • Re: How to intercept traffic on different OSs?
    ... No, you can catch with LSP only winsock data and not all network data, like ... > Putting socket in promiscuous mode differs from what I have ... >> to capture the packets, but it can't be used to drop them. ... >> an intermediate driver. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Realtek RTL 8139C and Linux Kernel 2.4.22.
    ... >>2.2 kernel. ... ppp0 Link encap:Point-to-Point Protocol ... 66:eth1: 8139too Fast Ethernet driver 0.9.18-pre4 Jeff Garzik ... 82-device ppp0 entered promiscuous mode ...
    (Debian-User)