On Wed, Jan 17, 2001 at 10:07:49AM -0800, Guy Harris wrote:
> It might be interesting to see what happens if you do that on a
> PF_PACKET/SOCK_DGRAM socket (or to check the kernel code to see if
> that'll work); if not, then it'll be normal behavior because that's all
> the kernel lets you do.
>From a quick check of the kernel code, it appears that it would be
possible for the "any" device to make all of the *CURRENT* network
devices on the machine that are capable of going into promiscuous mode
do so - it'd have to
get a list of all network devices;
go through them one by one, and put them into promiscuous mode.
This does mean that if some new interface becomes available (e.g., a PC
Card interface plugged into your machine), it won't go into promiscuous
mode, but adding new interfaces while a capture is in programs
potentially has other problems, for example if we attempt to associate
interface names with packets by putting a table of interface names and
indices at the beginning of some future new format of capture file,
either that interface wouldn't get a name associated with it, or the
capture file would have to have a special type of record that says "as
of this record, the following interface index corresponds to the
following interface name".
In order to automatically put that new interface into promiscuous mode,
we'd also have to somehow listen for new interfaces showing up; I
haven't checked to see if there's a way to be informed of that by the
kernel.
In any case, I'm not inclined to do that for 0.6/3.6, as even if we
*didn't* worry about changes to the interface list, it's still not just
a quick change - I'd be inclined to put it only into the main branch and
save it for 0.7/3.7.
We could document, somewhere in the tcpdump man page, that promiscuous
mode doesn't work on the "any" device.
We could also return an error if you attempt to open the "any" device in
promiscuous mode, so that if somebody does
tcpdump -i any
they'll get an error, and will have to do
tcpdump -p -i any
so that they don't request promiscuous mode.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
