Editing Promiscuous mode

{{short description|Network interface controller mode that eavesdrops on messages intended for others}}
{{refimprove|date=August 2015}}

In [[computer networking]], '''promiscuous mode'''<ref>{{Cite web|url=https://www.blumira.com/glossary/promiscuous-mode|title=Glossary - Promiscuous Mode|website=blumira.com}}</ref><ref>{{Cite conference|author1=Zouheir Trabelsi|author2=Hamza Rahmani|title=Promiscuous Mode Detection Platform|year=2004| pages=279–292| publisher= SciTePress|conference=Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)|editor=INSTICC|url=https://www.scitepress.org/papers/2004/26829/26829.pdf|doi=10.5220/0002682902790292|isbn=972-8865-07-4}}</ref><ref>{{Cite web|url=https://www.tamos.com/docs/monitoring.pdf|title=Promiscuous Monitoring in Ethernet and Wi-Fi Networks|date= 2005|publisher=TamoSoft }}</ref><ref>{{Cite thesis|author1=Lee D. VanGundy|title=An analysis of network interface card promiscuous mode detection methods in virtual network|date=July 2014|url=https://objects.lib.uidaho.edu/etd/pdf/VanGundy_idaho_0089M_10382.pdf|degree=MSc|publisher=University of Idaho}}</ref> is a mode for a wired [[network interface controller]] (NIC) or [[wireless network interface controller]] (WNIC) that causes the controller to pass all traffic it receives to the [[central processing unit]] (CPU) rather than passing only the frames that the controller is specifically programmed to receive.  This mode is normally used for [[packet sniffing]] that takes place on a router or on a computer connected to a wired network or one being part of a [[wireless LAN]].<ref>[http://searchsecurity.techtarget.com/definition/promiscuous-mode SearchSecurity.com definition of promiscuous mode]</ref> Interfaces are placed into promiscuous mode by [[Network bridge|software bridges]] often used with [[hardware virtualization]].

In [[IEEE 802]] networks such as [[Ethernet]] or [[IEEE 802.11]], each frame includes a destination [[MAC address]].  In non-promiscuous mode, when a NIC receives a frame, it drops it unless the frame is addressed to that NIC's MAC address or is a [[Broadcasting (networking)|broadcast]] or [[multicast address]]ed frame.  In promiscuous mode, however, the NIC allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.

Many [[operating system]]s require [[superuser]] privileges to enable promiscuous mode. A non-routing [[node (networking)|node]] in promiscuous mode can generally only monitor traffic to and from other nodes within the same [[collision domain]] (for Ethernet and IEEE 802.11) or ring (for [[Token Ring]]).  Computers attached to the same [[Ethernet hub]] satisfy this requirement, which is why [[network switch]]es are used to combat malicious use of promiscuous mode. A [[router (computing)|router]] may monitor all traffic that it routes.

Promiscuous mode is often used to diagnose network connectivity issues. There are programs that make use of this feature to show the user all the data being transferred over the network. Some protocols like [[FTP]] and [[Telnet]] transfer data and passwords in clear text, without encryption, and network scanners can see this data. Therefore, computer users are encouraged to stay away from insecure protocols like telnet and use more secure ones such as [[SSH]].

==Detection==
As promiscuous mode can be used in a malicious way to capture private [[data in transit]] on a network, [[computer security]] professionals might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this (e.g., using carefully designed firewall settings). An example is sending a ping ([[ICMP echo request]]) with the wrong MAC address but the right IP address. If an adapter is operating in normal mode, it will drop this frame, and the IP stack never sees or responds to it. If the adapter is in promiscuous mode, the frame will be passed on, and the IP stack on the machine (to which a MAC address has no meaning) will respond as it would to any other ping.<ref>{{citation |url=http://www.just.edu.jo/~tawalbeh/nyit/incs745/presentations/Sniffers.pdf |title=Sniffers: Basics and Detection |version=Version 1.0-1|author=Sumit Dhar|publisher=Information Security Management Team, Reliance Infocomm|access-date=2024-12-01}}</ref> The sniffer can prevent this by configuring a firewall to block ICMP traffic.

==Some applications that use promiscuous mode==
The following applications and applications classes use promiscuous mode.
{{div col|colwidth=20em}}
;Packet Analyzer
* [[NetScout]] Sniffer
* [[Wireshark]] (formerly ''Ethereal'')
* [[tcpdump]]
* [[OmniPeek]]
* [[Capsa (software)|Capsa]]
* [[ntop]]
* [[Firesheep]]
;Virtual machine
* [[VMware]]'s VMnet [[Bridging (networking)|bridging]]
* [[VirtualBox]] bridging mode
;Containers
* [[Docker (software)|Docker]] with optional Macvlan driver on Linux
;[[Cryptanalysis]]
* [[Aircrack-ng]]
* [[AirSnort]]
* [[Cain and Abel (software)|Cain and Abel]]
;Network monitoring
* [[KisMAC]] (used for [[WLAN]])
* [[Kismet (software)|Kismet]]
* [[IPTraf]]
* [[Snort (software)|Snort]]
* [[CommView]]
;Gaming
* [[XLink Kai]]
{{div col end}}

==See also==
* [[Packet analyzer]]
* [[MAC spoofing]]
* [[Monitor mode]]

==References==
{{reflist}}

{{DEFAULTSORT:Promiscuous Mode}}
[[Category:Network analyzers]]