- How to disable the promiscuous mode of network adaptor
- Posted by fongfong on August 7th, 2006
Hello buddies,
Is there any method to disable the promiscuous mode of the network adaptor
under Windows? Some kind of monitoring software, as sniffer, will set the
adaptor into promiscuous mode to sniff something, how to disable this
priority of the network adaptor? Thanks.
- Posted by Thomas F. Divine [DDK MVP] on August 7th, 2006
"fongfong" <fongfong@discussions.microsoft.com> wrote in message
news:EA605B63-A52E-4FAC-B249-27A6C15E751C@microsoft.com...
No way that I know of to disable this facility effectively.
Thomas F. Divine, Windows DDK MVP
http://www.pcausa.com
- Posted by fongfong on August 8th, 2006
"Thomas F. Divine [DDK MVP]" wrote:
Thanks for you reply, seems the answer is determinate, :-). But I have more
concern on one point, actually APIs provided to application to set the
promiscuous mode active will finally be executed by OS kernel (specificly,
the device driver), so if the driver does not set the promiscuous mode to
network adaptor although application request to do, the network adaptor will
not be set in promiscuous. Am I right?
- Posted by Thomas F. Divine [DDK MVP] on August 8th, 2006
"fongfong" <fongfong@discussions.microsoft.com> wrote in message
news:ECF3E95E-FAF4-43A2-9D4D-671DE7AB342D@microsoft.com...
Indirectly you are right.
Only a device driver, such as a NDIS protocol driver, can actually call NDIS
to make the adapter enter promiscuous mode.
Your problem is that there is no standard interface between user-mode
applications and their companion NDIS component. For example, the DDK
NDISPROT sample illustrates one possible IOCTL API that could be used to set
promiscuous mode. The PCAUSA Rawether product (http://www.rawether.net) uses
its own proprietary IOCTL API, WinPCap yet another and so on.
IOW, there is no system API to hook. Only a variety of proprietary IOCTL
interfaces with nothing in common. I don't think there is a practical way
for you to find them all (or find those not yet invented) and block them.
Of course, you could add a NDIS intermediate filter driver of your own that
would block the attempt to set promiscuous mode, but there is no guarantee
that your filter would not have yet another filter below it that could make
changes you are not aware of.
Good luck,
Thomas F. Divine
- Posted by Pavel A. on August 8th, 2006
"fongfong" wrote:
a. Do not run monitoring software?
b. Disable promisc. mode in the sniffer.
For example, some version of Netmon does not use promisc mode.
--PA
- Posted by fongfong on August 17th, 2006
"Thomas F. Divine [DDK MVP]" wrote:
this, 
. I will give up the trials on this.
- Posted by fongfong on August 17th, 2006
"Pavel A." wrote:
netwok adaptor, 
- Posted by Pavel A. on August 19th, 2006
"fongfong" <fongfong@discussions.microsoft.com> wrote in message news:01C040FA-1922-4F0B-98AA-9C1912CE3E68@microsoft.com...
Aha. So it is your adapter. Then you can add a proprietary request
to block promisc mode, no matter how it has been set over NDIS interface.
--PA
