[OLUG] Promiscuous eth0

Tim Russell tim at russell.dhs.org
Mon Apr 17 15:24:58 UTC 2000 

Well, it looks like whatever's doing it is doing it for about a minute or
two every time it runs. And I'm pretty sure that the messages are generated
by the kernel in response to an application putting the NIC into promiscuous
mode, not the kernel's response to a flakey NIC doing it itself.

Best thing I can think of is having a program or cron monitor
/var/log/messages for the setting promiscuous mode message, then piping
ps -ax to /var/log/promisc or some such (I'm not super-familiar with
syslog - maybe there's a way to get it to output the Process ID or - maybe -
the programs name without resorting to this).

just my 2cents, if it's worth it.

Tim #2


----- Original Message -----
From: "Mark Lichtenberg" <mark.lichtenberg at home.com>
To: <olug at bstc.net>
Sent: Sunday, April 16, 2000 01:14
Subject: Re: [OLUG] Promiscuous eth0


> No DHCP, no vmware, no sniffers, except tcpdump(which I wasn't running
> when these log entries were produced). I just switched from dial-up to a
> cable modem, and there are similar entries in my syslogs from before I
> switched. So from that, I figure that I haven't been compromised.
>
> This problem might be a result of my bigger problem. I have one rh6.1
> machine working with ipchains masquerading to my other rh box. The box
> behind the firewall often loses contact with the outside world, but can
> still connect to the firewall. (I checked, and masquerading seemed to be
> working properly.) This happens randomly, and comes back randomly. Funny
> thing is, when it loses connection, tcpdump will not pickup any packets,
> even while sucessfully pinging the firewall. When connection comes back,
> tcpdump will catch any packet just like it should.
>
> I'm starting to think that I've got a flaky network card. It's a 3c905b.
> Any thoughts?
>
> Mark Lichtenberg
>
>
>
> brian at bstc.net wrote:
> >
> > vmware is one prog. that I know of that put's your ethernet into
> > promisc mode. ALSO....
> > if you have your ethernet configured via dhcp... this will turn on
> > promisc as well, ( It normally turns it back off though )
> > other programs that normaly ship with std. distro's that will put it in
> > promisc is tcpdump, ethereal......
> >
> > Brian Roberson
> > brian at bstc.net
> >
> > -----Original Message-----
> > From: vraffensberger [mailto:vraffensberger at home.com]
> > Sent: Saturday, April 15, 2000 10:50 PM
> > To: olug
> > Cc: vraffensberger
> > Subject: FW: Re: [OLUG] Promiscuous eth0
> >
> > You can manually turn on/off promiscuous mode like this:
> > /sbin/ifconfig eth# +promisc  (or -promisc), but the program which is
> > trying to
> > start it can just turn it back on again.  I don't know of any "normal"
> > programs
> > which would require promiscuous mode.  Root access is required for
> > this.  A
> > program which is doing this would either have to be run by root or have
> > root
> > suid.
> >
> > I'll give an example of promiscuous mode.  Your computer and three
> > others are
> > connected to a traditional hub.  This hub will broadcast all packets to
> > all
> > ports whether the packet is destined for that node or not.  In normal
> > mode, your
> > kernel will simply ignore/discard packets not destined for for your
> > computer.
> > In promiscuous mode, your kernel will pass the packets to your OS.  A
> > program in
> > your OS can then process/log/filter these packets which were destined
> > for
> > another computer on your hub.  This program can then see, in plain text,
> > passwords from or to the other computers.  Stuff like telnet, pop3,
> > smtp, rsh,
> > rlogin, etc.. all pass passwords in plain text.  So, once access is
> > gained to
> > your computer, access can then be found to many other computers on your
> > network
> > and the systems they connect to.
> >
> > For further examples, here's an excerpt from the dsniff (an
> > entertaining program
> > which relies on promiscuous mode) man page:
> >
> > arpredirect
> >         redirect packets from a target host (or all hosts) on the LAN
> >         intended for another host on the LAN by forging ARP replies.
> >         this is an extremely effective way of sniffing traffic on a
> >         switch. kernel IP forwarding (or a userland program which
> >         accomplishes the same, e.g. fragrouter :-) must be turned on
> >         ahead of time.
> > findgw
> >         determine the local gateway of an unknown network via passive
> >         sniffing.
> > macof
> >         flood the local network with random MAC addresses (causing
> >         some switches to fail open in repeating mode, facilitating
> >         sniffing). a straight C port of the original Perl Net::RawIP
> >         macof program.
> > tcpkill
> >         kill specified in-progress TCP connections (useful for
> >         libnids-based applications which require a full TCP 3-whs for
> >         TCB creation).
> > tcpnice
> >         slow down specified in-progress TCP connections via "active"
> >         traffic shaping (useful for sniffing fast networks). forges
> >         tiny TCP window advertisements, and optionally ICMP source
> >         quench replies.
> > dsniff
> >         simple password sniffer. handles FTP, Telnet, HTTP, POP, NNTP,
> >         IMAP, SNMP, Rlogin, NFS, X11 auth info. goes beyond most
> >         sniffers in that it minimally parses each application
> >         protocol, only saving the "interesting" bits. uses Berkeley DB
> >         as its output file format, logging only unique auth
> >         info. supports full TCP/IP reassembly, courtesy of libnids
> >         (all of the following tools do, as well).
> > mailsnarf
> >         a fast and easy way to violate the Electronic Communications
> >         Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs
> >         all messages sniffed from SMTP traffic in Berkeley mbox
> >         format, suitable for offline browsing with your favorite mail
> >         reader (mail -f, pine, etc.).
> > urlsnarf
> >         output all requested URLs sniffed from HTTP traffic in CLF
> >         (Common Log Format, used by almost all web servers), suitable
> >         for offline post-processing with your favorite web log
> >         analysis tool (analog, wwwstat, etc.).
> > webspy
> >         sends URLs sniffed from a client to your local Netscape
> >         browser for display, updated in real-time (as the target
> >         surfs, your browser surfs along with them, automagically).
> >         a fun party trick. :-)
> >
> > ------------------------------------------------------------------------
> > -
> > Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> > To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
> >
>
> -------------------------------------------------------------------------
> > Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> > To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
>
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
>


-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`

More information about the OLUG mailing list