On Tue, 23 Jan 2001, Pekka Savola wrote:
> On Tue, 23 Jan 2001, Pekka Savola wrote:
>
> > On Tue, 23 Jan 2001, robbi8 wrote:
> > > Greetings,
> > > I sent the below over a week ago and haven't heard a response. I just
> > > wanted to see if you received it and if you had seen similar issues.
> >
> > Thisi is a problem with ifconfig in net-tools package I believe, not
> > tcpdump, as the kernel log shows:
> >
> > device eth0 entered promiscuous mode
> > device eth0 left promiscuous mode
> >
> > I haven't really dug into this deeper.
>
> Whoops.
>
> This is an issue with tcpdump/libpcap after all I suppose, caused by the
> fact that new packet socket mode is used for 2.2+ kernel.
>
> In libpcap/pcap-linux.c:
>
> ---
> mr.mr_type = promisc ?
> PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
> ---
>
> IFF_PROMISC is not set, so 'ifconfig' doesn't see the interface in promisc
> mode.
Just to make things clear:
the >= 2.2 kernels have a new way of setting promiscous mode via
setsockopt(). We use this sicne a few month in pcap. It has the advantage
of thread-safeness. The usage of ioctl() is depreciated. ifconfig doesnt
show the flag, b/c kernel filters it out. Dont know why.
Administrators should note that they dont see sniffers anymore on >= 2.2
kernels!
Sebastian
>
> If the old mode ( live_open_old() ) is used, ifconfig shows the interface
> in PROMISC mode all right.
>
> --
> Pekka Savola "Tell me of difficulties surmounted,
> Netcore Oy not those you stumble over and fall"
> Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
>
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
>
---
"Please stop the earth. Let me off."
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
