Passive listening to layer-2 traffic

To detect systems on the network, the sensor uses WinPCap, a packet capture library.

It captures layer-2 broadcast packets sent by systems that are connected to the same network broadcast segment. It also listens passively to all layer-2 traffic for other network protocols, such as ARP and DHCP.

Note: The sensor doesn't determine whether the system is a rogue system. It detects systems connected to the network and reports these detections back to the McAfee ePO server, which determines whether the system is rogue based on user-configured settings.