During an internal security assessment you are allowed to run only active tests that will not disrupt production. To identify any workstations on a switched Ethernet segment that have their network cards set to promiscuous (sniffer) mode, you transmit a single Ethernet frame carrying an ARP request that lists the suspected host's IP address but sets the frame's destination MAC to 00:11:22:33:44:55-an address that does not belong to any device on the segment and is not the broadcast address. Which observation would confirm that the workstation is operating in promiscuous mode?
Repeated 802.1X EAP authentication failures are logged on the switch port connected to the workstation.
The workstation ignores the request but later sends a gratuitous ARP advertising its MAC for the same IP address.
The switch's CAM table briefly overflows and the uplink port shows a spike in traffic from multiple VLANs.
The workstation replies with a valid ARP response even though the request's Layer-2 destination MAC does not match its own or the broadcast address.
In normal (non-promiscuous) operation, a NIC drops any Ethernet frame whose destination MAC address is neither its own nor a broadcast/multicast address. By crafting an ARP request that contains the correct target IP but an unrelated unicast destination MAC, you ensure that only a NIC running in promiscuous mode will pass the frame up the network stack to the ARP process. If the target still generates a valid ARP reply, it proves that the interface accepted and processed a frame not addressed to it, confirming promiscuous-mode operation. The other choices describe behaviors that can occur for legitimate reasons or that are unrelated to sniffing detection, so they are not reliable indicators.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is promiscuous mode in a NIC?
Open an interactive chat with Bash
What is an ARP request and how does it work?
Open an interactive chat with Bash
Why does the Layer-2 MAC address mismatch matter in this scenario?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .