PCMCIA Ethernet with promiscuous mode? 3C589D?

PCMCIA Ethernet with promiscuous mode? 3C589D?

Post by David Richar » Fri, 03 Jul 1998 04:00:00



Has anybody had particularly good success with any one promiscuous-mode PCMCIA
ethernet adapter? I'm currently considering the 3Com model 3C589D ($120).

I'm setting up a (Toshiba 780) laptop to do customer-site security and
debugging, and part of the requirements is some sniffing ability (white hat).
I have experience with the Data General line of sniffers, but no budget for
them, so I'm looking for a PCMCIA ethernet card with promiscuous mode.

I'm particularly looking for a card that will work promisc. under both Win95
FreeBSD. Being able to use it under Solaris would be a plus, as would 10/100
support- this last is the one feature that the 3C589 lacks.

So far I've found the following cards listed as being promiscuous, most
were tested by Novell under 'http://developer.novell.com/search/' or listed
in 'http://www.ssinc.com/lansleuth/pcmcia/'.

=== What I've found so far ===

Ethernet PCMCIA cards:
        Linksys Ethernetcard (EC2T)
        D-Link 10Base-T
        MaxTech ?
        Proteon P1470
        Socket Communications EA, EA+
        Novell's National InfoMover NE4100
        3Com 3C589D (supported by FreeBSD and Solaris)
        Intel EtherExpress Pro (Dual purpose- includes modem)

Known _not_ to be promiscuous:
        Boca
        Eagle Novell Ne4200
        IBM PCMCIA Adapter II
        MegaHertz (may change)
        Thomas-Conrad TC5141-T
        Xircom CreditCard

Conflicting Reports:
        Xircom Pocket Adapter III (Novell says Yes, ssinc says No)

 
 
 

PCMCIA Ethernet with promiscuous mode? 3C589D?

Post by Gardner Buchan » Sun, 05 Jul 1998 04:00:00




Quote:> Has anybody had particularly good success with any one promiscuous-mode PCMCIA
> ethernet adapter? I'm currently considering the 3Com model 3C589D ($120).

In FreeBSD, I have done a little debugging with a 3C589 (Not D)
using pcap/tcpdump.  It will definitely go promiscuous, and there
were no obvious problems.  I think you should consider the data
rates you expect to reliably intercept.  If you really want reliable
snooping on a loaded Ethernet, my guess is that PCMCIA devices are
not a great choice.  100mbps is out of the question.  You need
quite a fast processor and PCI to do that.  You also need to worry
about full duplex -> two 100mbps cards + duplex tap + very fast
bus and processor.  Not really laptop territory I think.

I am keen to hear more about network diagnostics/monitoring using
FreeBSD.  Had a look at the "network flight recorder"?

Good luck.

============================================================

Ottawa, ON             FreeBSD: Where you want to go. Today.

 
 
 

PCMCIA Ethernet with promiscuous mode? 3C589D?

Post by David Richar » Tue, 07 Jul 1998 04:00:00








>> > Has anybody had particularly good success with any one promiscuous-mode PCMCIA
>> > ethernet adapter? I'm currently considering the 3Com model 3C589D ($120).

>> In FreeBSD, I have done a little debugging with a 3C589 (Not D)
>> using pcap/tcpdump.  It will definitely go promiscuous, and there
>> were no obvious problems.

Thanks, that's good to know.

Quote:>> I think you should consider the data  rates you expect to reliably intercept.
>> If you really want reliable
>> snooping on a loaded Ethernet, my guess is that PCMCIA devices are
>> not a great choice.  100mbps is out of the question.  You need
>> quite a fast processor and PCI to do that.  You also need to worry
>> about full duplex -> two 100mbps cards + duplex tap + very fast
>> bus and processor.  Not really laptop territory I think.

Having had access to a Data General sniffer was nice, but I can't swing the
$$$ right now. For what I want to do (mostly intercept martian packets),
I'm not too worried about the data rate.

Quote:>You should also keep in mind that using promiscuous mode together with a
>switch is pretty useless. You will normally see only broadcast/multicast
>packets and the packets from/to your card.

I'm aware of that- part of the reason for bringing a sniffer is to
demonstrate to clients some of the reasons why they should move to a switched
architecture even if their overall traffic is low.