During a penetration testing engagement at First Union Bank in Chicago, ethical hacker Rachel Morgan...

In CEH network security concepts, a common way to verify whether a host is running a sniffer is to test for promiscuous-mode behavior using an active stimulus and then observing whether the suspected machine reacts to traffic it should normally discard. The “ping method” is a classic approach: the tester sends ICMP Echo Request traffic crafted so the Ethernet frame uses an incorrect destination MAC address, while the IP layer still targets the suspected host’s IP. Under normal NIC operation, frames with a destination MAC that does not match the interface (and is not broadcast/multicast) are dropped at the data-link layer and never reach the IP stack, so the host will not respond.

If the interface is in promiscuous mode, the NIC passes more frames up to the operating system for processing. In some configurations, this can allow the IP stack to see and respond to the ICMP request even though the frame’s MAC destination was wrong. That unexpected reply is used as an indicator that the host may be capturing traffic promiscuously, consistent with sniffer presence.

The other options are less aligned with the “classic active verification” described. Reverse DNS monitoring is an indirect heuristic and not a reliable confirmation of promiscuous mode. An NSE script is tool-specific rather than the classic foundational technique the question emphasizes. ARP-based methods exist for sniffer detection, but the option presented is less directly tied to the well-known ICMP incorrect-MAC confirmation described in CEH materials.