Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Dec 2004 10:52:52 -0700
From:      Brett Glass <brett@lariat.org>
To:        Bob Ababurko <ababurko@adelphia.net>, freebsd-security@freebsd.org
Subject:   Re: odd log mesage...looks serious
Message-ID:  <6.2.0.14.2.20041225104714.05f27c58@localhost>
In-Reply-To: <41CDA5C0.3000105@adelphia.net>
References:  <41CDA5C0.3000105@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

The most common situation in which you'll see such messages is when a program
(often tcpdump) is sniffing packets on an interface via bpf. (tcpdump normaly shifts
the interface into promiscuous mode so it can see every packet an interface receives, 
even if it's not bound for that machine.) If you were not running tcpdump or something 
similar, it's possible that a sniffer has been planted on your machine.

--Brett Glass

At 10:39 AM 12/25/2004, Bob Ababurko wrote:
  
>hello all-
>
>and a happy holiday to all you geeks that are in front of the crt!
>
>I found these log messages in my logs and I am not sure what some of them signify.
>
>Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec
>Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec
>Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled
>Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled
>Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled
>Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled
>Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 to 200 packets/sec
>
>I understand the "Limiting closed port RST response". ....but what are the promiscuous mode enabled and disabled on my NIC?  I am not doing this, so who or what is doing this.  Or better yet, what does this mean?  I have a fear that this one is serious.  So what I need is some direction into finding out how this occurs and what I can do to stop it.
>
>thanks,
>Bob
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.0.14.2.20041225104714.05f27c58>