CN111917894A - Network card mixed mode detection technology - Google Patents
Network card mixed mode detection technology Download PDFInfo
- Publication number
- CN111917894A CN111917894A CN202010189188.4A CN202010189188A CN111917894A CN 111917894 A CN111917894 A CN 111917894A CN 202010189188 A CN202010189188 A CN 202010189188A CN 111917894 A CN111917894 A CN 111917894A
- Authority
- CN
- China
- Prior art keywords
- network card
- arp request
- host
- address
- mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a network card hybrid mode detection technology, which is characterized in that a destination address is sent in a local area network as follows: the ARP request of FF-FF-FF-FF-FF-FE (the system can be considered to belong to the broadcast address) is sent to a host in the network, the host receives the ARP request, if the network card is in a common mode, the address is judged not to be the broadcast address, the host directly discards the ARP request, when the network card of the host is in a promiscuous mode, the ARP request can be treated as the broadcast address by a system core, the system core can respond to the ARP request, and when the system core responds to the ARP request, the network card of the host can be judged to be in the promiscuous mode.
Description
Technical Field
The invention belongs to the field of information security, and relates to a network card hybrid mode detection technology of a terminal host in a local area network.
Background
With the rapid development of networks, the sniffing behavior has become a great threat to network security in local area networks. Through network sniffing, some malicious users can easily steal the privacy of the document and anyone who is confidential. The current sniffers all work based on the network card promiscuous mode, however, there is no good method for detecting whether the network card of the host is promiscuous mode.
Local area networks are typically connected using ethernet. The information communicated over the ethernet cable using the IP (IPV4) protocol is transmitted in the clear unless encrypted using an encryption program. When a person sends information to the network, he may wish to receive it only by certain users. However, the working mechanism of ethernet provides an opportunity for non-authenticated users to steal such data. When the Ethernet carries out information transmission, data packets are sent to each network node, the nodes with matched destination addresses receive the data packets, and other network nodes only carry out simple discarding operation. And whether to receive or discard these packets is controlled by the ethernet card. When receiving the data packet, the network card will filter out that the destination address is the data packet reception of itself, but not all. But this is only when the network card is in non-promiscuous mode and the sniffer uses another way of working, which sets its own network card to receive all network packets, regardless of whether the destination address of the packet is itself or not. This network card Mode is called Promiscuous Mode.
Therefore, the invention provides a network card hybrid mode detection technology which is used for detecting the host network card hybrid mode in the network.
Disclosure of Invention
The invention aims to provide a network card hybrid mode detection technology, which utilizes a sniffer of a network card hybrid mode to monitor and realizes the monitoring of a host network card hybrid mode through a specific ARP message.
The invention has the following principle: in promiscuous mode, the network card performs packet filtering differently than in non-promiscuous mode. In the non-promiscuous mode, only data packets or broadcast (multicast and the like) of the local address are submitted to the core of the system by the network card, and if the destination address is not the self, the data packets are directly discarded by the network card. Now, the promiscuous mode allows all the passing data packets to be transmitted to the system core, so that the detection of the network card promiscuous mode can be effectively performed by using the middle system core. The system core will also filter some data packets, taking Windows system as an example: FF-FF-FF-FF-FF: this is a regular broadcast address, whether in promiscuous or other mode, which is received by the network card and passed to the system core.
FF-FF-FF-FF-00: the address is not a broadcast address for the network card and is discarded by the network card in the non-promiscuous mode, but the system core considers the address to be identical to the FF-FF-FF-FF-FF-FF. If in promiscuous mode, it will be received by the system core and considered a broadcast address. This is true of all Windows operating systems.
FF-FF-00-00-00-00: the Windows core only makes a determination of the first two bytes, and the core considers that this is a broadcast address identical to FF-FF-FF-FF-FF. This is why FF-FF-FF-FF-00 is also a broadcast address.
FF-00-00-00-00-00: for Win9x or WinME, the previous byte is examined. This will be considered a broadcast address.
Therefore, the goal is to have the non-promiscuous mode network card discard probe packets and the promiscuous mode system core handle probes. Sending a destination address of: the ARP request of FF-FF-FF-FF-FE (the system can be considered as belonging to the broadcast address) is directly discarded for the network card in the normal mode (broadcast and the like) if the address is not the broadcast address, and if the network card is in the promiscuous mode, the ARP request can be treated as the broadcast address by the system core and can be responded to the ARP request.
The invention provides a network card hybrid mode detection technology, which mainly comprises the following steps:
s1: sending a destination address of: the ARP request of FF-FF-FF-FF-FE (which the system can consider as belonging to the broadcast address) is sent to the host in the network;
s2: if the host network card is in a common mode, the address is judged not to be a broadcast address, and the ARP request is directly discarded;
s3: the network card of the host computer is in a mixed mode, the ARP request can be treated as a broadcast address by the system core, and the system core can respond to the ARP request;
s4: when the system core responds to the ARP request, the host network card can be judged to be in a promiscuous mode.
The attached drawings are as follows:
FIG. 1 is a diagram of an application model of a hybrid network card detection technique;
FIG. 2 is a flow chart of a method for detecting a hybrid mode of a network card.
Claims (2)
1. A network card hybrid mode detection technology comprises the following steps:
s1: sending a destination address of: the ARP request of FF-FF-FF-FF-FE (which the system can consider as belonging to the broadcast address) is sent to the host in the network;
s2: if the host network card is in a common mode, the address is judged not to be a broadcast address, and the ARP request is directly discarded;
s3: the network card of the host computer is in a mixed mode, the ARP request can be treated as a broadcast address by the system core, and the system core can respond to the ARP request;
s4: when the system core responds to the ARP request, the host network card can be judged to be in a promiscuous mode.
2. A technology for detecting the mixed mode of network card features that the host in LAN receives the ARP request whose destination address is not its own address, and when it responds, it can judge that its network card is working in mixed mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010189188.4A CN111917894A (en) | 2020-03-19 | 2020-03-19 | Network card mixed mode detection technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010189188.4A CN111917894A (en) | 2020-03-19 | 2020-03-19 | Network card mixed mode detection technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111917894A true CN111917894A (en) | 2020-11-10 |
Family
ID=73237396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010189188.4A Withdrawn CN111917894A (en) | 2020-03-19 | 2020-03-19 | Network card mixed mode detection technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111917894A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212485A (en) * | 2006-12-28 | 2008-07-02 | 中国科学院计算技术研究所 | Method for obtaining stream media link address |
| CN101286896A (en) * | 2008-06-05 | 2008-10-15 | 上海交通大学 | IPSec VPN protocol drastic detecting method based on flows |
| CN101345643A (en) * | 2007-07-09 | 2009-01-14 | 珠海金山软件股份有限公司 | Method and device for early warning of network appliance |
| CN101437032A (en) * | 2008-12-19 | 2009-05-20 | 重庆邮电大学 | System for monitoring VOIP voice quality based on SIP protocol and detection method thereof |
| CN102571579A (en) * | 2011-12-30 | 2012-07-11 | 奇智软件(北京)有限公司 | ARP (Address Resolution Protocol) message processing method and device |
| CN108390809A (en) * | 2017-02-03 | 2018-08-10 | 华耀(中国)科技有限公司 | A kind of bridging method and its system based on VF promiscuous modes |
-
2020
- 2020-03-19 CN CN202010189188.4A patent/CN111917894A/en not_active Withdrawn
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212485A (en) * | 2006-12-28 | 2008-07-02 | 中国科学院计算技术研究所 | Method for obtaining stream media link address |
| CN101345643A (en) * | 2007-07-09 | 2009-01-14 | 珠海金山软件股份有限公司 | Method and device for early warning of network appliance |
| CN101286896A (en) * | 2008-06-05 | 2008-10-15 | 上海交通大学 | IPSec VPN protocol drastic detecting method based on flows |
| CN101437032A (en) * | 2008-12-19 | 2009-05-20 | 重庆邮电大学 | System for monitoring VOIP voice quality based on SIP protocol and detection method thereof |
| CN102571579A (en) * | 2011-12-30 | 2012-07-11 | 奇智软件(北京)有限公司 | ARP (Address Resolution Protocol) message processing method and device |
| CN108390809A (en) * | 2017-02-03 | 2018-08-10 | 华耀(中国)科技有限公司 | A kind of bridging method and its system based on VF promiscuous modes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Qadeer et al. | Network traffic analysis and intrusion detection using packet sniffer | |
| Ansari et al. | Packet sniffing: a brief introduction | |
| US7573859B2 (en) | System and method for remote monitoring in a wireless network | |
| US7971253B1 (en) | Method and system for detecting address rotation and related events in communication networks | |
| US8218449B2 (en) | System and method for remote monitoring in a wireless network | |
| EP2494741B1 (en) | Method and device for detection of a nat device | |
| US8819213B2 (en) | System, method and apparatus for traffic mirror setup, service and security in communication networks | |
| US20080062874A1 (en) | Network monitoring device and network monitoring method | |
| EP1906591A2 (en) | Method, device and system for detecting layer 2 loop | |
| US10887212B2 (en) | System, method and apparatus for traffic mirror setup, service and security in communication networks | |
| KR100996288B1 (en) | A method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses | |
| US7409715B2 (en) | Mechanism for detection of attacks based on impersonation in a wireless network | |
| Shitharth et al. | A novel IDS technique to detect DDoS and sniffers in smart grid | |
| Žagar et al. | Security aspects in IPv6 networks–implementation and testing | |
| Todo et al. | Falsification attacks against WPA-TKIP in a realistic environment | |
| Fathima et al. | A survey on network packet inspection and arp poisoning using wireshark and ettercap | |
| Frikha et al. | Implementation of a Covert Channel in the 802.11 Header | |
| Shitharth et al. | A comparative analysis between two countermeasure techniques to detect DDoS with sniffers in a SCADA network | |
| US20150229659A1 (en) | Passive detection of malicious network-mapping software in computer networks | |
| CN111917894A (en) | Network card mixed mode detection technology | |
| CN111866216B (en) | NAT equipment detection method and system based on wireless network access point | |
| Meehan et al. | Packet sniffing for automated chat room monitoring and evidence preservation | |
| Ovadia et al. | {Cross-Router} Covert Channels | |
| KR20040003977A (en) | IP collision detection/ Interseption method thereof | |
| Trabelsi et al. | Detection of sniffers in an Ethernet network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20201110 |
|
| WW01 | Invention patent application withdrawn after publication |