[techtalk] Promiscuos setting <SOLVED>

[Subba Rao]

On  0, Subba Rao <subba9 at home.com> wrote:
> 
> My system is running Tcpdump and Snort at the same time. Both these tools
> are running with the '-p' option. This setting I believe does not put the
> ethernet interface in promiscuous mode.
> 
> The system I am talking about has 3 ethernet interfaces. After the Linux
> system has started up the output of 'ifconfig' shows the following flags:
> 
> UP BROADCAST RUNNING MULTICAST
> 
> Sometime after booting up the system, all the 3 interfaces will have the
> following settings:
> 
> UP BROADCAST PROMISC RUNNING MULTICAST
> 
> I don't know which process is setting this. Besides Tcpdump and Snort are
> listening only on one interface. Why are the other interfaces being set into
> promiscuos mode? If anyone experienced this problem, I would like to know how
> you went about investigating this change in interface settings.
> 
> Is there any remote threat for a machine with promiscuos interfaces? I am very
> uncomfortable with the promiscuous interfaces.
> 
> Any help or insight is appreciated. 
> 
> PS - Hope this info will help.
> 
> $ nohup tcpdump -a -vv -i eth0 -p &
> 
> # Snort is run my daemontools/supervise
> $ snort -pdb -i eth0 -l /log/output/ -c /etc/mysnortconfig.conf
> 

Thanks to everyone who replied with helpful suggestions!

I found the culprit program. Recently I have download Etherape, a tool which
will show the network traffic visually. You can select a specific interface
on the system to watch the type of traffic on that network. This good ole tool
set the interface in promiscuous mode. While quiting, this tool does not restore
the original settings of the interface.

To get the interface back into non-promiscuous state, I shut down the interface
and brought it back up with the '-promisc' option. That fixed the problem.

-- 

Subba Rao
subba9 at home.com
http://members.home.net/subba9/

GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217