Promiscuous Mode
What is Promiscuous Mode?
Promiscuous ModeA network-interface mode in which the NIC delivers every frame on the wire to the operating system, enabling passive sniffing of traffic on a shared or mirrored segment.
Promiscuous mode is a configurable state of a network interface card that disables the normal MAC-address filter so the NIC passes every Ethernet frame it sees - regardless of destination - up to the OS. It is required by sniffers and IDS sensors such as Wireshark, tcpdump, Snort, and Zeek to observe traffic from other hosts. On a hub-based or mirrored (SPAN) segment, promiscuous mode yields all traffic; on modern switched networks, it must be combined with ARP spoofing, MAC flooding (CAM-table overflow), port mirroring, or a network tap to actually see other hosts' data. Promiscuous mode itself is not malicious, but is the prerequisite for passive reconnaissance, credential capture, and many MITM attacks. Defenses: monitor for unexpected promiscuous NICs (ARP-anomaly tools, EDR sensors), use 802.1X and switch-port security, and encrypt all sensitive traffic.
● Examples
- 01
Running tcpdump -i eth0 with promiscuous mode to capture mirrored SPAN traffic for incident response.
- 02
An attacker enabling promiscuous mode after ARP-spoofing the gateway to sniff clear-text credentials.
● Frequently asked questions
What is Promiscuous Mode?
A network-interface mode in which the NIC delivers every frame on the wire to the operating system, enabling passive sniffing of traffic on a shared or mirrored segment. It belongs to the Attacks & Threats category of cybersecurity.
What does Promiscuous Mode mean?
A network-interface mode in which the NIC delivers every frame on the wire to the operating system, enabling passive sniffing of traffic on a shared or mirrored segment.
How does Promiscuous Mode work?
Promiscuous mode is a configurable state of a network interface card that disables the normal MAC-address filter so the NIC passes every Ethernet frame it sees - regardless of destination - up to the OS. It is required by sniffers and IDS sensors such as Wireshark, tcpdump, Snort, and Zeek to observe traffic from other hosts. On a hub-based or mirrored (SPAN) segment, promiscuous mode yields all traffic; on modern switched networks, it must be combined with ARP spoofing, MAC flooding (CAM-table overflow), port mirroring, or a network tap to actually see other hosts' data. Promiscuous mode itself is not malicious, but is the prerequisite for passive reconnaissance, credential capture, and many MITM attacks. Defenses: monitor for unexpected promiscuous NICs (ARP-anomaly tools, EDR sensors), use 802.1X and switch-port security, and encrypt all sensitive traffic.
How do you defend against Promiscuous Mode?
Defences for Promiscuous Mode typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Promiscuous Mode?
Common alternative names include: Promisc mode, Network sniffing mode.
● Related terms
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 1135
TCP Reset Injection
An attack that forges TCP RST segments matching an existing connection so endpoints abruptly close it, breaking or hijacking the session.