[techtalk] Promiscuos setting

Subba Rao subba9 at home.com
Tue Jul 3 14:17:09 EST 2001


My system is running Tcpdump and Snort at the same time. Both these tools
are running with the '-p' option. This setting I believe does not put the
ethernet interface in promiscuous mode.

The system I am talking about has 3 ethernet interfaces. After the Linux
system has started up the output of 'ifconfig' shows the following flags:

UP BROADCAST RUNNING MULTICAST

Sometime after booting up the system, all the 3 interfaces will have the
following settings:

UP BROADCAST PROMISC RUNNING MULTICAST

I don't know which process is setting this. Besides Tcpdump and Snort are
listening only on one interface. Why are the other interfaces being set into
promiscuos mode? If anyone experienced this problem, I would like to know how
you went about investigating this change in interface settings.

Is there any remote threat for a machine with promiscuos interfaces? I am very
uncomfortable with the promiscuous interfaces.

Any help or insight is appreciated. 

PS - Hope this info will help.

$ nohup tcpdump -a -vv -i eth0 -p &

# Snort is run my daemontools/supervise
$ snort -pdb -i eth0 -l /log/output/ -c /etc/mysnortconfig.conf
-- 

Subba Rao
subba9 at home.com
http://members.home.net/subba9/

GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217




More information about the Techtalk mailing list