From owner-freebsd-isp  Wed Aug 25  3:10:25 1999
Delivered-To: freebsd-isp@freebsd.org
Received: from proteus.eclipse.net.uk (proteus.eclipse.net.uk [195.188.32.118])
	by hub.freebsd.org (Postfix) with ESMTP id 6AD87152EF
	for <freebsd-isp@FreeBSD.ORG>; Wed, 25 Aug 1999 03:10:22 -0700 (PDT)
	(envelope-from stuart@eclipse.net.uk)
Received: from eclipse.net.uk (elara.eclipse.net.uk [195.188.32.31])
	by proteus.eclipse.net.uk (Postfix) with ESMTP
	id ABB6A9B38; Wed, 25 Aug 1999 11:10:21 +0100 (BST)
Message-ID: <37C3C198.EEC64872@eclipse.net.uk>
Date: Wed, 25 Aug 1999 11:12:40 +0100
From: Stuart Henderson <stuart@eclipse.net.uk>
Organization: Eclipse Networking Ltd.
X-Mailer: Mozilla 4.61 [en] (WinNT; I)
X-Accept-Language: en-GB
MIME-Version: 1.0
To: Shawn Workman <shawn@bsdguy.com>
Cc: Dominik Brettnacher <domi@saargate.de>, freebsd-isp@FreeBSD.ORG,
	Karl Pielorz <kpielorz@tdx.co.uk>
Subject: Re: IP Accounting
References: <Pine.BSF.4.10.9908242135330.1919-100000@dominik.saargate.de> <37C302EC.45A675B8@eclipse.net.uk> <036301beee72$9ddd48c0$24a535cf@ieasoftware.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[combining replies to Karl Pielorz and Dominik Brettnacher]

DB> I always see that my NIC is in promiscuous mode, is that a bad thing?

Depends who put it there. IMHO you should reinstall the FreeBSD binaries
from CD or a freebsd.org site on the net (not a local copy) to ensure
you have clean copies of programs such as ps/top/netstat/ls/telnetd/...
then check your system carefully for abnormalities, unknown users, and
maybe innocuously named files containing sniffer logs.

DB> how do I change it if it is?

A program will have put it into promiscuous mode. If you're using kernel
bridging I think that will do it, ditto tcpdump/trafshow/ngrep/nmap and
many other programs, but they shouldn't leave it set after they have
exited.

KP> How do you know the card is in promiscuous mode?

# ifconfig fxp0
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
...

# grep promisc /var/log/messages
Aug 25 11:01:01 prometheus /kernel: fxp0: promiscuous mode enabled
Aug 25 11:01:10 prometheus /kernel: fxp0: promiscuous mode enabled

Unless permissions on /dev/bpf* allow anyone to access the device
it will have been root or a setuid root program that enabled promiscuous
mode. So you can check back to see who was logged in at the time from
"who /var/log/wtmp" (assuming that nobody nasty has been tampering with
the wtmp records).

KP> Promiscuous mode means your network card will receive and process 
KP> every packet on the network cable your on, even those not destined 
KP> for your own machine / self.

And yes this does imply it will be using extra cpu cycles to filter
the traffic so that local daemons only hear traffic destined for the
machine's MAC addresses. The added latency gives you a possible way of 
detecting promiscuous mode on a machine that you don't have access to 
- as used by L0pht's AntiSniff monitoring tool, more details on their
site <http://www.l0pht.com/antisniff/tech-paper.html>.

Stuart


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message