I am running into an interesting promiscuous mode issue on Redhat Enterprise WS 3, kernel version 2.4.21, libpcap version 0.7.2 and tcpdump 3.7.2. The issue is unanticipated toggling of promisc state. I am running Snort version 2.1.2 which itself sets promisc first on the interface in question and may be a catalyst for the issue or a red herring.
So, in a default state we have the interface in PROMISC as set by Snort. I am using 'ip link show eth0' as ifconfig does not show the PROMISC flag yet: 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff When I run 'tcpdump -i eth0 -nn' PROMISC becomes unset thus only capturing bcast/ARP traffic: 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff When I stop that tcpdump the interface promptly returns to PROMISC state: 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff Now I run tcpdump with the -p flag (supposedly this does not set PROMISC), 'tcpdump -i eth0 -nn -p' and the PROMISC flag stays and I capture all the traffic I should be: 2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc pfifo_fast q len 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff This does not seem to be desired behavior from my experience. Let's try from default state again: 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff I run 'tcpdump -i eth0 -nn' and I lose PROMISC and only see bcasts/ARPs: 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff Now I run the same command in another terminal, 'tcpdump -i eth0 -nn' and PROMISC returns: 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:95:c9:29:78 brd ff:ff:ff:ff:ff:ff If the interface is already in promisc mode, as Snort has set it, why is tcpdump turning that off? Why when running multiple, and the same, tcpdumps does the promisc flag get flipped back and forth in relation to how many tcpdumps are running? Overall, shouldn't tcpdump (without -p) check if the interface is in promisc mode already (as Snort has set it or another tcpdump) and if so, not toggle that setting? Unfortunately, I can not reproduce this behavior all the time. In some cases running 'tcpdump -i eth0 -nn' on an already promisc interface does not toggle promisc off. That is the behavior that I am familier with and expect. Any insight much appreciated. -- Chris Reining, GCFW, GCIA http://packetfu.org - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
