felipe-alfaro.org

A silent network interface is one whose main purpose is to passively monitor for traffic while not revealing or advertising its presence. By default, network interfaces in UNIX-like systems, even when configured with no IP address, could send or respond to ARP traffic, thus defeating its stealthy operation.

To prevent a network interface from sending or responding to ARP traffic, one can configure the network interface to ignore it by supplying the -arp option to ifconfig. This will put the interface into NOARP mode and, when configured with no IP address, will become stealth.

For example:

# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:17 Base address:0x4000
# ifconfig eth1 -arp
# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:17 Base address:0×4000

In Fedora Core this can be easily achieved by adding the following line to the network interface configuration file, located in /etc/sysconfig/network-scripts:

ARP=no

For example, this line can be added to file /etc/sysconfig/network-scripts/ifcfg-eth1 so next time interface eth1 is brought up, it will be configured in NOARP mode. This can be done manually using two different commands:

• ifconfig eth1 -arp
• ip link set dev eth1 arp off

To re-enable ARP support:

• ifconfig eth1 arp
• ip link set dev eth1 arp on