Re: promiscuous mode

To: Ian Goodall <I.Goodall@exeter.ac.uk>
Cc: debian-security@lists.debian.org
Subject: Re: promiscuous mode
From: SLeiBt <irishseb@free.fr>
Date: 24 May 2003 03:06:14 +0200
Message-id: <1053738374.700.34.camel@act.irishseb.dyndns.org>
In-reply-to: <003f01c3217a$081cd5a0$c30310ac@ijg0>
References: <002501c32162$0b725620$c30310ac@ijg0> <20030523200041.GO29081@unblinking-eye.lcs.mit.edu> <003f01c3217a$081cd5a0$c30310ac@ijg0>

Le sam 24/05/2003 à 00:24, Ian Goodall a écrit :
> >Try using tcpdump to investigate the problem.  Make sure you use the
> >'-p' flag to tcpdump to tell it not to set the interface into
> >promiscuous mode.  Something like
> ># tcpdump -i eth0 -p -n
> 
> I have no idea what all the output means. Below is an extract from the
> output:
> 
> 23:17:22.564132 172.16.3.195.1957 > 172.16.5.92.22: P 211401:211445(44) ack
> 1380732 win 36168 (DF)

At 23:17:22.564132, a paquet from 172.16.3.195 port 1957 was received on
172.16.5.92 port 22. remaining are related to tcp, ack and flags. Here,
there is no S (SYN) nor F (FIN) thus the connection was previously
established and continued after your capture.

Were you connected through SSH while doing your network capture? This is
a _very_ good way to generate packets :-)) Each time a packet touches
your box, ssh will send you the tcpdump line generating a packet that
will get captured and sent to you via ssh and so on :-)). See, in your
capture, packets follow each other less at sometimes less than a
millisecond! It's possible to do network captures when connecting
through the network, but then you have to exclude yourself from the
capture for it to be usefull. With tethereal the syntax is:

tethereal -n not tcp port 22

I can't remember for tcpdump but hopefully there is a "capture filter"
section in the manual.

> if it helps 172.16.3.195 is another computer directly connected to the
> switch running windows xp. This computer is 172.16.5.92 . The switch is also
> connected into the rest of the university student network. Even though the
> rest of the network is connected to the server shouldn't the traffic be
> ignored if it is not desined for it anyway?

Are you sure it's not? Of course being connected on a big network you
will receive plenty of junk, specialy as your broadcast domain seems
quite big. Any machine looking for an other (dns server, gateway,
whatever) will send an arp message that _everybody_ will receive (if
not, your ethernet will never work), windows machines hoping to make new
friends will do the same... There is very little you can do other than
taking no action (which your IP stack already does for most of this
stuff). You may additionnaly use iptables to remove this useless traffic
(just be carefull that on a busy network you may fill your logs with
useless crap) but this will not prevent the traffic from reaching you.
The only other way would be to put a router between you and the big
network, but you don't gain much I think.

Sebastien

Reply to:

Follow-Ups:
- Re: promiscuous mode
  - From: "Ian Goodall" <I.Goodall@exeter.ac.uk>

References:
- Re: promiscuous mode
  - From: "Ian Goodall" <I.Goodall@exeter.ac.uk>
- Re: promiscuous mode
  - From: Noah Meyerhans <noahm@debian.org>
- Re: promiscuous mode
  - From: "Ian Goodall" <I.Goodall@exeter.ac.uk>

Prev by Date: Updated kernels with security fixes
Next by Date: Re: Updated kernels with security fixes
Previous by thread: Re: promiscuous mode
Next by thread: Re: promiscuous mode
Index(es):
- Date
- Thread