[techtalk] Interface settings - noarp, promisc...

coldfire rolick571 at duq.edu
Thu Aug 2 18:39:55 EST 2001

> 1. Is there any advantage by setting the sniffing interface (without IP address)
>    with NOARP and PROMISC settings?

well .. if you're sniffing with this interface by means of tcpdump,
sniffit, ethereal (etc.) and these are run by root (which should be the
case) then the card is automatically being put into PROMISC mode.  that's
the only way that it will recieve the packets not destined for it's

> 2. With NOARP set, the system interfaces would not be broadcasting it's ARP
>    addresses, so wouldn't this setting make that interface hard to spoof?
>    (Please correct me if I am wrong here)

the function of ARP is to map the 48-bit hardware address with the 32-bit
ip address of a network interface.  spoofing a hardware address is a hell
of a feat to accomplish .. unless you're using wireless networking of
course.  spoofing the ip address would still be possible.

and from what i understand, the only reason the sniffing interface would
send out an arp reply is if it recieved an arp request for it's hardware
address which means someone would have to know the ip address already (or
if they were portscanning the entire network).

disabling arp would prevent any connections on that interface.  


More information about the Techtalk mailing list