>As promiscuous mode can be used in a malicious way to capture private data in transit on a network, computer security professionals might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine.
Whatever it is, it's not that. A ping to a unicast IPv4 address in the local subnet won't be transmitted at the Ethernet layer until the IP has been resolved to an Ethernet MAC address via ARP. The troublesome host must have been responding to the broadcast ARP requests with ARP responses, too. Promiscuous mode makes no difference here as those ARP requests are broadcasts and you'll receive them with or without promiscuous mode.
I did a small research project years ago (like 16 years ago) where I tried to detect hosts in promiscuous mode. The entire effort wasn't super relevant even in 2010 because switched networks had already largely replaced old hubs but it was interesting stuff.
The most interesting thing I remember looking at was a tool called Neped. I can't find the source but it might be here: https://www.apostols.org/projects. As I recall, Neped would do things exactly like this article says — send an ping packet to the right IP address but wrong MAC address and see if it responds. I probably have the details wrong but that's the idea. It was some really clever stuff. I always wonder what old vulnerabilities like this we would rediscover if we put new computers on old networks (especially hubs).
Oh wow, that's a fun one. It sounds like the network card was in promiscuous mode.
The wikipedia page even has a bit about this.
https://en.wikipedia.org/wiki/Promiscuous_mode
>As promiscuous mode can be used in a malicious way to capture private data in transit on a network, computer security professionals might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine.
Whatever it is, it's not that. A ping to a unicast IPv4 address in the local subnet won't be transmitted at the Ethernet layer until the IP has been resolved to an Ethernet MAC address via ARP. The troublesome host must have been responding to the broadcast ARP requests with ARP responses, too. Promiscuous mode makes no difference here as those ARP requests are broadcasts and you'll receive them with or without promiscuous mode.
I did a small research project years ago (like 16 years ago) where I tried to detect hosts in promiscuous mode. The entire effort wasn't super relevant even in 2010 because switched networks had already largely replaced old hubs but it was interesting stuff.
The most interesting thing I remember looking at was a tool called Neped. I can't find the source but it might be here: https://www.apostols.org/projects. As I recall, Neped would do things exactly like this article says — send an ping packet to the right IP address but wrong MAC address and see if it responds. I probably have the details wrong but that's the idea. It was some really clever stuff. I always wonder what old vulnerabilities like this we would rediscover if we put new computers on old networks (especially hubs).