Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Detecting if Adapter is in Promiscuous mode

90 views
Skip to first unread message

Nathan Evans

unread,
Apr 23, 2002, 12:44:39 PM4/23/02
to
Hello,

I need to determine if a specific adapter is in Promiscuous mode...

What this app does: http://www.ntsecurity.nu/toolbox/promiscdetect/faq.shtml

Any tips?

--
Nathan Evans

arkadyf

unread,
Apr 24, 2002, 7:20:11 AM4/24/02
to
You can do it on by DeviceIoControl with IOCTL_PROTOCOL_QUERY_OID .
Sniffers set adapter in promiscuous mode to receive packet from/to
connected computers not only from/to this one.
You can see it in PacketSetFilter() from NTpacket example in MSDN.
Arkady


Nathan Evans <f...@bar.com> wrote in message
news:eZCDWYu6BHA.1668@tkmsftngp03...

Nathan Evans

unread,
Apr 25, 2002, 10:29:12 AM4/25/02
to
Where in MSDN is this? I searched for "PacketSetFilter", nothing came up..

As for DeviceIoControl, any examples,tips,websites? ;)

Thanks

"arkadyf" <ark...@hotmail.com> wrote in message
news:eWouJm36BHA.1456@tkmsftngp02...

arkadyf

unread,
Apr 25, 2002, 1:16:38 PM4/25/02
to
"Ntpacket.exe: Updated Windows NT 4.0 NDIS 3.0 Packet Sample Available"
Q238652 KB MSDN
Arkady

Nathan Evans <f...@bar.com> wrote in message

news:u4ApQWG7BHA.2320@tkmsftngp02...

Thomas F. Divine

unread,
Apr 25, 2002, 3:15:18 PM4/25/02
to
You can use the PCAUSA "OID Scope" to check this on Windows NT/2000/XP
without having a driver. OID Scope can be downloaded from:

http://www.pcausa.com/Utilities/ndistools.htm

Make query for OID_GEN_CURRENT_PACKET_FILTER using the Make NDIS Request
feature on the Properties page.

(The PCAUSA web host, Earthlink, is having some problems today. So, try
again later if you can't reach the site...)

Good luck,
--
Thomas F. Divine

PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
<http://www.pcausa.com> - <http://www.rawether.net>

"arkadyf" <ark...@hotmail.com> wrote in message

news:uWLOOSH7BHA.2216@tkmsftngp03...

Nathan Evans

unread,
Apr 27, 2002, 12:00:56 PM4/27/02
to
What about programmatically :)

Do you know anymore of the method that this ntsecurity.nu tool uses?
http://www.ntsecurity.nu/toolbox/promiscdetect/faq.shtml

Using DependencyWalker and W32dasm i can't find out much on the way it works
:(

Thanks!

"Thomas F. Divine" <pca...@hotmail.com> wrote in message
news:ucgle7...@corp.supernews.com...

arkadyf

unread,
Apr 28, 2002, 2:39:42 AM4/28/02
to
Hi , Nathan!
Download NTPacket of MSDN and see using of DeviceIoControl there , the good
description of it you can find on
Windump site because they use this ( modified ) driver in their sniffer or
on www.cswl.com
BTW DependencyWalker shows that promiscdetect use DeviceIoControl as second
function ( ordinal number 92 ( 0x52) ) in kernel32.dll ( I checked it on
NT4SP6 just now ). Except this , because promiscdetect not use service
functions
( that mean no build-in driver in it ) this is the only way to communicate
to NDIS driver.
Arkady


Nathan Evans <f...@bar.com> wrote in message

news:uq6n0Sg7BHA.2176@tkmsftngp03...

Thomas F. Divine

unread,
Apr 29, 2002, 12:01:45 AM4/29/02
to
On NT this could be IOCTL_NDIS_QUERY_GLOBAL_STATS. This is used in OID
Scope. The MACADDR II sample (with free source) also illustrates using this
IOCTL. See the URL:

http://www.pcausa.com/Utilities/macaddr2.htm

Good luck,
--
Thomas F. Divine

PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
<http://www.pcausa.com> - <http://www.rawether.net>

"arkadyf" <ark...@hotmail.com> wrote in message

news:ugDALcn7BHA.2488@tkmsftngp04...

Nathan Evans

unread,
May 12, 2002, 8:39:18 AM5/12/02
to
Hi Thomas,

I finally got this utility downloaded.. seems for the past few weeks your
site has been rejecting my download request. :(

It works though, OID_GEN_CURRENT_PACKET_FILTER returns 43 when in
promiscuous mode, and 11 when not..

So how do i implement this programmatically?

Thanks!

"Thomas F. Divine" <pca...@hotmail.com> wrote in message
news:ucgle7...@corp.supernews.com...

Thomas F. Divine

unread,
May 12, 2002, 9:26:57 PM5/12/02
to

"Nathan Evans" <f...@bar.com> wrote in message
news:#XElHIb#BHA.1980@tkmsftngp04...

> Hi Thomas,
>
> I finally got this utility downloaded.. seems for the past few weeks your
> site has been rejecting my download request. :(
>
> It works though, OID_GEN_CURRENT_PACKET_FILTER returns 43 when in
> promiscuous mode, and 11 when not..
>
> So how do i implement this programmatically?
>
> Thanks!

Yes, Earthlink/MindSpring made some "upgrades" to their web servers.
Unbeknownst to me, these totally hosed my site. The site has been moved and
is fully functional once again (I hope).

To implement the basic functionality you are looking for, see the PCAUSA
MACADDR II samples (including free source) at the URL:

http://www.pcausa.com/Utilities/macaddr2.htm

Do let me know if you see problems with the new site or downloads.

Regards,

Martin

unread,
May 13, 2002, 12:32:07 AM5/13/02
to
Nathan,

Use the following define to find out what is turned on:

#define NDIS_PACKET_TYPE_DIRECTED 0x0001
#define NDIS_PACKET_TYPE_MULTICAST 0x0002
#define NDIS_PACKET_TYPE_ALL_MULTICAST 0x0004
#define NDIS_PACKET_TYPE_BROADCAST 0x0008
#define NDIS_PACKET_TYPE_SOURCE_ROUTING 0x0010
#define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020
#define NDIS_PACKET_TYPE_SMT 0x0040
#define NDIS_PACKET_TYPE_ALL_LOCAL 0x0080
#define NDIS_PACKET_TYPE_MAC_FRAME 0x8000
#define NDIS_PACKET_TYPE_FUNCTIONAL 0x4000
#define NDIS_PACKET_TYPE_ALL_FUNCTIONAL 0x2000
#define NDIS_PACKET_TYPE_GROUP 0x1000

cheers,
Martin

"Nathan Evans" <f...@bar.com> wrote in message news:<#XElHIb#BHA.1980@tkmsftngp04>...

Nathan Evans

unread,
May 16, 2002, 12:24:42 PM5/16/02
to
Hi,

macaddr2 with the source code is perfect Thomas! :)

Thanks very much!

"Thomas F. Divine" <pca...@hotmail.com> wrote in message

news:udu5j5m...@corp.supernews.com...

0 new messages