What is Promiscuous Mode?

Promiscuous mode is a network card configuration which passes all packets to the network adapter driver and protocol stack. It is supported by many wired and wireless network adapters and their drivers. Promiscuous mode is used by network analyzers, protocol analyzers and packet sniffers to allow inspection of network traffic. It is also used by some network bridges to pass traffic from one side of the bridge to the other.

A network card "listens" to the header of each packet that travels over the attached network. In its normal mode of operation, it processes only unicast and broadcast packets. A unicast packet is one which is addressed specifically to that network card alone. In contrast, a broadcast packet is intended to be received by all devices attached to the network. Both types of packets are normally received by a card, processed by its driver and passed up the network protocol stack.

An application or operating system (OS) can also enable multicast mode on a network adapter that supports it. To use this mode, one or more multicast group addresses are programmed into the card through its driver. When multicast mode is enabled, the card also receives and processes all multicast packets addressed to the group. In comparison, promiscuous mode allows all packets to be received and processed, regardless of the type or addressee.

Network adapters that do not include hardware multicast address support significantly burden their drivers and the protocol stack. When multicast mode is enabled on a card like this, the hardware is usually placed in promiscuous mode instead. Software must then filter out every packet which is not directed to one of the desired multicast group addresses. This places a very significant load on the central processor and on the OS kernel. It generally increases the response time of the network as well.

Packet sniffing is often the main use for promiscuous mode, also known as promisc mode. Network analyzers and packet sniffer software in this mode can capture all of the network traffic, which they can "hear." Once received, the packets can be stored for later analysis and decoding with the same or more complex software. Traffic received in this mode on a wired network is usually limited to the machines connected to a network switch or hub. Wireless traffic is normally limited to a particular service set or channel unless the radio frequency monitor mode is used.