From owner-freebsd-isp  Tue Aug 24 16:27:26 1999
Delivered-To: freebsd-isp@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP id 632F11513A
	for <freebsd-isp@FreeBSD.ORG>; Tue, 24 Aug 1999 16:27:23 -0700 (PDT)
	(envelope-from jwyatt@bsdie.rwsystems.net)
Received: from bsdie.rwsystems.net([209.197.223.2]) (2119 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@bsdie.rwsystems.net>) 
	id <m11JPr9-000CC1C@bsdie.rwsystems.net>
	for <freebsd-isp@FreeBSD.ORG>; Tue, 24 Aug 1999 18:19:55 -0500 (CDT)
	(Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7)
Date: Tue, 24 Aug 1999 18:19:34 -0500 (CDT)
From: James Wyatt <jwyatt@bsdie.rwsystems.net>
To: Shawn Workman <shawn@bsdguy.com>
Cc: Stuart Henderson <stuart@eclipse.net.uk>,
	Dominik Brettnacher <domi@saargate.de>, freebsd-isp@FreeBSD.ORG
Subject: What is promiscuous mode (was Re: IP Accounting)
In-Reply-To: <036301beee72$9ddd48c0$24a535cf@ieasoftware.com>
Message-ID: <Pine.BSF.4.10.9908241752580.24854-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Sounds like it's time for a quick security check on *that* host... 8{)
Most machines don't use it (sucks CPU, sets-off anti-sniff alarms, etc...)
If it is, you may have a legitimate application using it (trafshow, DHCP
server, arpwatch, etc...) or someone *could* be running a sniffer on that
machine that you don't know about. Could you quote the message you saw
this in so we can help?

The 'Dark Side' of an ethernet card running in 'promiscuous mode' is that
it sends *all* (not just it's) packets to your kernel, allowing traffic on
the network to be 'tapped' to record userids, passwords, connect-ports,
etc... for later use. You never even know you've leaked until they log-in.  
It's 'Light Side' allows it to receive DHCP client requests, improving
your network administration, or to generate statistics on network traffic
flow for reporting.

You don't turn it on or off. It changes when you start or stop an
application that uses a BPF device. Do a 'ps auxw' and check-off all the
processes you know until you find the process that is doing it. If you
have been broken-into, the process might not show up if they replaced your
'ps'. There is no truth that you can catch a virus for using a promiscuous
ethernet card. 8{) - Jy@

On Tue, 24 Aug 1999, Shawn Workman wrote:
> I always see that my NIC is in promiscuous mode, is that a bad thing?
> 
> how do I change it if it is?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message