Re: ifconfig doesn't report Promiscuous interfaces

To: debian-security@lists.debian.org
Subject: Re: ifconfig doesn't report Promiscuous interfaces
From: S.Salman Ahmed <ssahmed@pathcom.com>
Date: Sat, 17 Mar 2001 01:05:48 -0500
Message-id: <[🔎] 15026.65211.568061.505498@viper.earth>
Reply-to: ssahmed@pathcom.com
In-reply-to: <[🔎] 20010317003652.B13846@morgul.net>
References: <[🔎] 15026.48807.605690.280609@viper.earth> <[🔎] 20010317014434.23295.qmail@web13201.mail.yahoo.com> <[🔎] 15026.50750.958632.234323@viper.earth> <[🔎] 20010316223744.A20474@mp3revolution.net> <[🔎] 15026.63187.385075.383200@viper.earth> <[🔎] 20010317003652.B13846@morgul.net>

>>>>> "Noah" == Noah L Meyerhans <frodo@morgul.net> writes:
    Noah>  Knark can't function if you have disabled module loading.  It
    Noah> is a module, so it can't do anything if it can't be run.
    Noah> 
    Noah> Did you say that the kernel logs a message about switching
    Noah> to/from promisc mode if you do an 'ifconfig promisc' or
    Noah> 'ifconfig -promisc'?
    Noah> 

Yes, the kernel logs messages regarding switching of the
promiscuous-ness of the interface. dmesg and looking thru
/var/log/kern.log will show that.

But here is something interesting that I just noticed: typing "ifconfig
eth0 promisc" will make eth0 promisc (/var/log/kern.log and dmesg both
confirm), and after that ifconfig shows the correct status:

@viper:[/home/ssahmed] ifconfig eth0 promisc
@viper:[/home/ssahmed] ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:50:BA:44:70:CE  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:274 (274.0 b)  TX bytes:0 (0.0 b)
          Interrupt:9 Base address:0x6000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16192  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Suspecting Knark, I booted to my earlier 2.4.2 kernel that has module
support enabled and I tried this again, and like the previous 2.4.2
sans-modules support ifconfig shows the PROMISC status but ONLY if eth0
is made promiscuous by typing "ifconfig eth0 promisc".

Using either snort or tcpdump, however, causes ifconfig to not report
the PROMISC status.

So, it doesn't seem to be Knark at play since I can see PROMISC set only
if ifconfig is used to enable it on the interface.

This is just too bizarre.

-- 
Salman Ahmed
ssahmed AT pathcom DOT com

Reply to:

References:
- ifconfig doesn't report Promiscuous interfaces
  - From: S.Salman Ahmed <ssahmed@pathcom.com>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: Marlon Jabbur <marlonsj@yahoo.com.br>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: S.Salman Ahmed <ssahmed@pathcom.com>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: Andres Salomon <dilinger@mp3revolution.net>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: S.Salman Ahmed <ssahmed@pathcom.com>
- Re: ifconfig doesn't report Promiscuous interfaces
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

Prev by Date: Re: ifconfig doesn't report Promiscuous interfaces
Next by Date: Re: ifconfig doesn't report Promiscuous interfaces
Previous by thread: Re: ifconfig doesn't report Promiscuous interfaces
Next by thread: Re: ifconfig doesn't report Promiscuous interfaces
Index(es):
- Date
- Thread