[OLUG] Promiscuous eth0

Mark Lichtenberg mark.lichtenberg at home.com
Sun Apr 16 06:14:55 UTC 2000

No DHCP, no vmware, no sniffers, except tcpdump(which I wasn't running
when these log entries were produced). I just switched from dial-up to a
cable modem, and there are similar entries in my syslogs from before I
switched. So from that, I figure that I haven't been compromised.

This problem might be a result of my bigger problem. I have one rh6.1
machine working with ipchains masquerading to my other rh box. The box
behind the firewall often loses contact with the outside world, but can
still connect to the firewall. (I checked, and masquerading seemed to be
working properly.) This happens randomly, and comes back randomly. Funny
thing is, when it loses connection, tcpdump will not pickup any packets,
even while sucessfully pinging the firewall. When connection comes back,
tcpdump will catch any packet just like it should. 

I'm starting to think that I've got a flaky network card. It's a 3c905b.
Any thoughts?

Mark Lichtenberg

brian at bstc.net wrote:
> vmware is one prog. that I know of that put's your ethernet into
> promisc mode. ALSO....
> if you have your ethernet configured via dhcp... this will turn on
> promisc as well, ( It normally turns it back off though )
> other programs that normaly ship with std. distro's that will put it in
> promisc is tcpdump, ethereal......
> Brian Roberson
> brian at bstc.net
> -----Original Message-----
> From: vraffensberger [mailto:vraffensberger at home.com]
> Sent: Saturday, April 15, 2000 10:50 PM
> To: olug
> Cc: vraffensberger
> Subject: FW: Re: [OLUG] Promiscuous eth0
> You can manually turn on/off promiscuous mode like this:
> /sbin/ifconfig eth# +promisc  (or -promisc), but the program which is
> trying to
> start it can just turn it back on again.  I don't know of any "normal"
> programs
> which would require promiscuous mode.  Root access is required for
> this.  A
> program which is doing this would either have to be run by root or have
> root
> suid.
> I'll give an example of promiscuous mode.  Your computer and three
> others are
> connected to a traditional hub.  This hub will broadcast all packets to
> all
> ports whether the packet is destined for that node or not.  In normal
> mode, your
> kernel will simply ignore/discard packets not destined for for your
> computer.
> In promiscuous mode, your kernel will pass the packets to your OS.  A
> program in
> your OS can then process/log/filter these packets which were destined
> for
> another computer on your hub.  This program can then see, in plain text,
> passwords from or to the other computers.  Stuff like telnet, pop3,
> smtp, rsh,
> rlogin, etc.. all pass passwords in plain text.  So, once access is
> gained to
> your computer, access can then be found to many other computers on your
> network
> and the systems they connect to.
> For further examples, here's an excerpt from the dsniff (an
> entertaining program
> which relies on promiscuous mode) man page:
> arpredirect
>         redirect packets from a target host (or all hosts) on the LAN
>         intended for another host on the LAN by forging ARP replies.
>         this is an extremely effective way of sniffing traffic on a
>         switch. kernel IP forwarding (or a userland program which
>         accomplishes the same, e.g. fragrouter :-) must be turned on
>         ahead of time.
> findgw
>         determine the local gateway of an unknown network via passive
>         sniffing.
> macof
>         flood the local network with random MAC addresses (causing
>         some switches to fail open in repeating mode, facilitating
>         sniffing). a straight C port of the original Perl Net::RawIP
>         macof program.
> tcpkill
>         kill specified in-progress TCP connections (useful for
>         libnids-based applications which require a full TCP 3-whs for
>         TCB creation).
> tcpnice
>         slow down specified in-progress TCP connections via "active"
>         traffic shaping (useful for sniffing fast networks). forges
>         tiny TCP window advertisements, and optionally ICMP source
>         quench replies.
> dsniff
>         simple password sniffer. handles FTP, Telnet, HTTP, POP, NNTP,
>         IMAP, SNMP, Rlogin, NFS, X11 auth info. goes beyond most
>         sniffers in that it minimally parses each application
>         protocol, only saving the "interesting" bits. uses Berkeley DB
>         as its output file format, logging only unique auth
>         info. supports full TCP/IP reassembly, courtesy of libnids
>         (all of the following tools do, as well).
> mailsnarf
>         a fast and easy way to violate the Electronic Communications
>         Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs
>         all messages sniffed from SMTP traffic in Berkeley mbox
>         format, suitable for offline browsing with your favorite mail
>         reader (mail -f, pine, etc.).
> urlsnarf
>         output all requested URLs sniffed from HTTP traffic in CLF
>         (Common Log Format, used by almost all web servers), suitable
>         for offline post-processing with your favorite web log
>         analysis tool (analog, wwwstat, etc.).
> webspy
>         sends URLs sniffed from a client to your local Netscape
>         browser for display, updated in real-time (as the target
>         surfs, your browser surfs along with them, automagically).
>         a fun party trick. :-)
> ------------------------------------------------------------------------
> -
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`

Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 

More information about the OLUG mailing list