fongfong
Thu Aug 17 10:33:02 CDT 2006
"Thomas F. Divine [DDK MVP]" wrote:
>
> "fongfong" <fongfong@discussions.microsoft.com> wrote in message
> news:ECF3E95E-FAF4-43A2-9D4D-671DE7AB342D@microsoft.com...
> >
> >
> > "Thomas F. Divine [DDK MVP]" wrote:
> >
> >>
> >> "fongfong" <fongfong@discussions.microsoft.com> wrote in message
> >> news:EA605B63-A52E-4FAC-B249-27A6C15E751C@microsoft.com...
> >> > Hello buddies,
> >> > Is there any method to disable the promiscuous mode of the network
> >> > adaptor
> >> > under Windows? Some kind of monitoring software, as sniffer, will set
> >> > the
> >> > adaptor into promiscuous mode to sniff something, how to disable this
> >> > priority of the network adaptor? Thanks.
> >>
> >> No way that I know of to disable this facility effectively.
> >>
> >> Thomas F. Divine, Windows DDK MVP
> >>
http://www.pcausa.com
> >>
> >>
> > Thomas,
> > Thanks for you reply, seems the answer is determinate, :-). But I have
> > more
> > concern on one point, actually APIs provided to application to set the
> > promiscuous mode active will finally be executed by OS kernel (specificly,
> > the device driver), so if the driver does not set the promiscuous mode to
> > network adaptor although application request to do, the network adaptor
> > will
> > not be set in promiscuous. Am I right?
>
> Indirectly you are right.
>
> Only a device driver, such as a NDIS protocol driver, can actually call NDIS
> to make the adapter enter promiscuous mode.
>
> Your problem is that there is no standard interface between user-mode
> applications and their companion NDIS component. For example, the DDK
> NDISPROT sample illustrates one possible IOCTL API that could be used to set
> promiscuous mode. The PCAUSA Rawether product (
http://www.rawether.net) uses
> its own proprietary IOCTL API, WinPCap yet another and so on.
>
> IOW, there is no system API to hook. Only a variety of proprietary IOCTL
> interfaces with nothing in common. I don't think there is a practical way
> for you to find them all (or find those not yet invented) and block them.
>
> Of course, you could add a NDIS intermediate filter driver of your own that
> would block the attempt to set promiscuous mode, but there is no guarantee
> that your filter would not have yet another filter below it that could make
> changes you are not aware of.
>
> Good luck,
>
> Thomas F. Divine
>
Thanks a lot, sounds impossible to implement it. I feel frustrated about
this, :(. I will give up the trials on this.