Date: Wed, 25 Aug 1999 11:12:40 +0100 From: Stuart Henderson <stuart@eclipse.net.uk> To: Shawn Workman <shawn@bsdguy.com> Cc: Dominik Brettnacher <domi@saargate.de>, freebsd-isp@FreeBSD.ORG, Karl Pielorz <kpielorz@tdx.co.uk> Subject: Re: IP Accounting Message-ID: <37C3C198.EEC64872@eclipse.net.uk> References: <Pine.BSF.4.10.9908242135330.1919-100000@dominik.saargate.de> <37C302EC.45A675B8@eclipse.net.uk> <036301beee72$9ddd48c0$24a535cf@ieasoftware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[combining replies to Karl Pielorz and Dominik Brettnacher] DB> I always see that my NIC is in promiscuous mode, is that a bad thing? Depends who put it there. IMHO you should reinstall the FreeBSD binaries from CD or a freebsd.org site on the net (not a local copy) to ensure you have clean copies of programs such as ps/top/netstat/ls/telnetd/... then check your system carefully for abnormalities, unknown users, and maybe innocuously named files containing sniffer logs. DB> how do I change it if it is? A program will have put it into promiscuous mode. If you're using kernel bridging I think that will do it, ditto tcpdump/trafshow/ngrep/nmap and many other programs, but they shouldn't leave it set after they have exited. KP> How do you know the card is in promiscuous mode? # ifconfig fxp0 fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 ... # grep promisc /var/log/messages Aug 25 11:01:01 prometheus /kernel: fxp0: promiscuous mode enabled Aug 25 11:01:10 prometheus /kernel: fxp0: promiscuous mode enabled Unless permissions on /dev/bpf* allow anyone to access the device it will have been root or a setuid root program that enabled promiscuous mode. So you can check back to see who was logged in at the time from "who /var/log/wtmp" (assuming that nobody nasty has been tampering with the wtmp records). KP> Promiscuous mode means your network card will receive and process KP> every packet on the network cable your on, even those not destined KP> for your own machine / self. And yes this does imply it will be using extra cpu cycles to filter the traffic so that local daemons only hear traffic destined for the machine's MAC addresses. The added latency gives you a possible way of detecting promiscuous mode on a machine that you don't have access to - as used by L0pht's AntiSniff monitoring tool, more details on their site <http://www.l0pht.com/antisniff/tech-paper.html>. Stuart To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37C3C198.EEC64872>