On Tue, Jul 03, 2001 at 02:10:52PM +0000, Subba Rao wrote:
> My system is running Tcpdump and Snort at the same time. Both these tools
> are running with the '-p' option. This setting I believe does not put the
> ethernet interface in promiscuous mode.
In the case of tcpdump, it does, except if it's the version that *some*
Linux distributions (sufficiently recent Red Hat and SuSE have that
version) bundle with the system, in which case tcpdump
by default, captures on all interfaces, in non-promiscuous mode;
the -p flag makes it capture in promiscuous mode, which only
works if you explicitly specify an interface on which to
capture.
Unfortunately, the man page doesn't necessarily correctly document this.
I can't speak for Snort; I'll let somebody who uses it, or one of its
developers, address that.
> The system I am talking about has 3 ethernet interfaces. After the Linux
> system has started up the output of 'ifconfig' shows the following flags:
>
> UP BROADCAST RUNNING MULTICAST
>
> Sometime after booting up the system, all the 3 interfaces will have the
> following settings:
>
> UP BROADCAST PROMISC RUNNING MULTICAST
>
> I don't know which process is setting this. Besides Tcpdump and Snort are
> listening only on one interface. Why are the other interfaces being set into
> promiscuos mode?
Presumably because some program requested it.
You'd have to see what processes are running, and do whatever
investigation is necessary to determine which of them would be
requesting it. (I cannot help you in this investigation, as I have
neither the time nor, I suspect, all the information needed to be of
help.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
