From owner-freebsd-questions Tue Apr 15 20:43:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA03575 for questions-outgoing; Tue, 15 Apr 1997 20:43:44 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA03567 for ; Tue, 15 Apr 1997 20:43:41 -0700 (PDT) Received: from mail.virginia.edu (mail.Virginia.EDU [128.143.2.9]) by who.cdrom.com (8.8.5/8.6.11) with SMTP id UAA04053 for ; Tue, 15 Apr 1997 20:43:33 -0700 (PDT) Received: from archive.cs.virginia.edu by mail.virginia.edu id aa07334; 15 Apr 97 23:43 EDT Received: from stretch.cs.Virginia.edu (atf3r@stretch-fo.cs.Virginia.EDU [128.143.136.14]) by archive.cs.Virginia.EDU (8.7.5/8.7.3) with SMTP id XAA18701; Tue, 15 Apr 1997 23:43:28 -0400 (EDT) Received: by stretch.cs.Virginia.edu (4.1/SMI-2.0) id AA18867; Tue, 15 Apr 97 23:43:27 EDT Date: Tue, 15 Apr 1997 23:43:27 -0400 (EDT) From: "Adrian T. Filipi-Martin" Reply-To: adrian@virginia.edu To: Shawn Ramsey Cc: freebsd-questions@freebsd.org Subject: Re: ed0 promiscuous mode? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 14 Apr 1997, Shawn Ramsey wrote: > > > I just got in to work this morning and saw this on my terminal: > > > > > > > > Apr 13 15:06:43 temp1 /kernal: ed0: promiscuous mode enabled > > > > > > What does it mean? > > > > > > > Just that. :) > > > > It means this interface is now recieving all packets, and the kernel > > decides what to do with them :) > > > > Usually its caused by people running 'tcpdump' .. however it COULD be > > packet-sniffer programs. Do you have the bpfilter compiled into your > > kernel? > > I get the same thing with trafshow, which uses bpfilter. Yes, any program which needs to see all data on the network instead of only data addresses to the localhost puts the ethernet interface into promiscuous mode. As you mentioned this includes tools such as tcpdump, trafshow, lanstat and anything which uses libpcap. These programs are legit when used for legit purposes. My point was that promiscuous mode can be a real security nightmare if people have access to it who should not. Software such as the password sniffing processes which are part of RootKit, a common hacker/cracker's toolkit, uses promiscuous mode. You should not blindly ignore these messages if you do not know who is running them. Establish that promiscuous mode was being used by an "authorized" person. cheers, Adrian -- adrian@virginia.edu ---->>>>| Support your local programmer, System Administrator --->>>| STOP Software Patent Abuses NOW! NVL, NIIMS and Telemedicine Labs -->>| For an application and information Member: League for Programming Freedom ->| see: http://www.lpf.org/