Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ifconfig may not correctly show promiscuous mode under linux

From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Fri, 15 Aug 2003 17:30:54 -0400
My experience was different.  This was part of the problem I ran into
recently when adding additional interfaces on the machine.  Bringing up eth0
as a sniffed interface, along with it being the actual management and
therefore IP-addressed interface, and not SPECIFICALLY bringing up the
additional non-IP'd interfaces in promiscuous mode, caused the additional
interfaces to see no traffic.  I simply added, for example,

        ifconfig eth1 up promisc

in my startup for each additional interface and things were fine.  I'm
running RedHat 8.0 with patches, 4 snort sessions, and 8 barnyard sessions
on this test unit.  Ifconfig properly showed me the interfaces were NOT in
promiscuous mode when I brought them up without the "promisc" on the
ifconfig command line and then started snort.

Apparently, your mileage may vary.


- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of lists
Sent:   Friday, August 15, 2003 1:46 PM
To:     snort-users () lists sourceforge net
Subject:        [Snort-users] ifconfig may not correctly show promiscuous mode
under linux


This appears to be a common thread/question for snort users but
it isn't in the FAQ.  In fact the FAQ may be incorrect in
suggesting people use "ifconfig" to determine promiscuous mode.


A net search shows many people are confused because:

1) They expect snort to put the network interface into promiscuous
mode.

2) The alerts snort returns imply the interface IS in promiscuous
mode.

3) They then run ifconfig and it does not show the interface is
in promiscuous mode.

I found some references that would indicate ifconfig under
linux does NOT always report the correct state of promiscuous
mode on an interface. See:
http://marc.theaimsgroup.com/?l=snort-users&m=99249371217700&w=2
http://www.ussg.iu.edu/hypermail/linux/net/0101.2/0060.html

FWIW, the "ip" command from the iproute package DOES appear to
return the correct state of the interface when running snort.

The following output is from a RH9.0 system running the
2.4.20-19.9 Kernel and using a 3com 509 NIC.

/sbin/ip link show
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:97:81:37:9b brd ff:ff:ff:ff:ff:ff

/sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:60:97:81:37:9B
          inet addr:xx.xx.xx.xx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5151010 errors:28 dropped:0 overruns:34 frame:28
          TX packets:1579623 errors:0 dropped:0 overruns:0 carrier:0
          collisions:12141 txqueuelen:100
          RX bytes:491015762 (468.2 Mb)  TX bytes:298061933 (284.2 Mb)
          Interrupt:5 Base address:0x300

Note:
 A) "ip" correctly indicates the NIC is in promiscuous mode.
 B) "ifconfig" does NOT indicate promiscuous mode

  - Paul Beltrani



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: