Re: Effects of promiscuous mode
On Fri, 14 Sep 2001 15:00:21 PDT, "Sean 'Shaleh' Perry" writes:
>
>On 14-Sep-2001 Rino Mardo wrote:
>> "I'm checking out snort, a network intrusion detection system. I
>> noticed that when I start the snort daemon to listen on eth0 (my NIC
>> connected to the Internet), the interface enters promiscuous mode. I know
>> what promiscuous mode is, but I'm wondering what the impacts of the
>> device's being on promiscuous mode will be.
>The NIC will be working a little more because it reacts to every packet on the
>wire, even ones it would usually not be interested in. This will likely mean
>a little more OS/CPU work as well.
"a little"? On a reasonably busy LAN (and, of course, with equipment
which hands you all the packets[0]) your system will have *much* *much*
more to do. Especially when doing filtering and logging dropped
packets...
ka:/home/waldner# uptime
12:08am up 55 days, 10:48, 3 users, load average: 0.00, 0.00, 0.00
ka:/home/waldner# ifconfig eth0 promisc
ka:/home/waldner# uptime
12:13am up 55 days, 10:53, 3 users, load average: 2.45, 1.10, 0.70
ka:/home/waldner# ifconfig eth0 -promisc
ka:/home/waldner# uptime
12:23am up 55 days, 11:03, 3 users, load average: 0.12, 0.40, 0.17
Ok, I´m getting ~ 9.2 MBit/s[1] worth of traffic while in promiscous
mode, whereas ~ 40 Kbit/s when not.
0: most switches won´t. I still don´t know how most cisco-switches get
to know that an attached NIC enters promiscous mode...
1: 10 MBit/s-ethernet on a 10/100-switch populated by mostly 100
MBit/s-cards and -clients.
cheers,
&rw
--
-- Those who think they know it all are
-- very annoying to those of us who do.
----
Reply to: