From owner-freebsd-security Thu Apr 19 6:17: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 8730937B423 for ; Thu, 19 Apr 2001 06:16:55 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1911 invoked by uid 1000); 19 Apr 2001 13:15:03 -0000 Date: Thu, 19 Apr 2001 16:15:03 +0300 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: promiscuous mode Message-ID: <20010419161503.A1527@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Apr 19, 2001 at 08:10:45AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 08:10:45AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > I have a 4.2-RELEASE box that is going into, and out of, promiscuous mode > on the xl0 interface. What would cause this ? Is it a sign of a potential > problem ? 'Promiscuous mode' means that the kernel starts processing - and passing to userland programs - ethernet frames that are not targeted to this machine only. This means somebody (usu. root ;) is running a packet capture program - either tcpdump, or some traffic analysis utility, or - if none of the above - possibly a packet sniffer. In the last case, you should be alarmed. If you are not running tcpdump or some traffic analysis program, or if there are times that you are not running those, but the interface still goes into or out of promiscuous mode, then yes, this is a sign of a potential intrusion. G'luck, Peter -- I am the thought you are now thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message