Bugtraq mailing list archives
Re: Interface promiscuity obscurity in Linux
From: Jim Mellander <jmellander () lbl gov>
Date: Thu, 25 Jul 2002 14:58:57 -0700
My sniffer detector, update, which (unfortunately) is only a binary release at this moment pending legalities, uses the following technique for Solaris: For all possible interfaces (le, hme, etc), find head of stream linked list for that interface by examining kernel symbols: for hme, for instance, the kernel symbol is 'hmestrup' This points to a linked list of open streams for that interface (the structure of which is in the header file hme.h, etc). Walk the list looking at the flag for that stream, until you reach a null pointer, which is the end of the stream list. Then check the next possible interface. Some trickiness in supporting 32 bit & 64 bit kernels in the same binary. Unfortunately, it hasn't been updated for sunblade yet.. For solaris x86, a similar approach is used, except there is only one linked list, but it links back to the beginning. For Linux 2.2, it actually steps thru the linked list of devices, ignoring the first one, which is the loopback, then reads the flags from kernel memory. Heres a non error-checking code snippet for Solaris hme (details of 32/64 bit stuff omitted): struct nlist nl[] = { { "hmestrup" }, { 0 } }; int retval=0; /* Open the kernel memory file Read/Write */ memfd=open("/dev/kmem",O_RDWR); /* Get the namelist entry for the interface */ nlist("/dev/ksyms", nl); hmeaddr = nl[0].n_value; while (hmeaddr != NULL) { lseek(memfd,(off_t) hmeaddr, SEEK_SET); read(memfd, (void *) &hmestr, (size_t) sizeof(struct hmestr)); if (hmestr.sb_flags & HMESALLPHYS) retval++; hmeaddr = hmestr.sb_nextp; } return retval; update is available at ftp://lassie.lbl.gov Casper Dik wrote:
The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by ioctl(SIOCSIFFLAGS).This is the same reason why Promiscuous mode is never reported by "ifconfig" in Solaris 2.0 and later. In Solaris, ifconfig primarily (or perhaps only) deals with the "IP (or other network stack) plumbing" on devices; in that context the "promiscuous" flag has no meaning either. A number of Solaris device drivers export the fact whether they're promiscuous using the "kstat" (kernel statistics) interface; unfortunately not all devices support that yet. $ kstat -p :::promisc elxl:0:elxl0:promisc off We need to fix this for most SPARC hardware still. Casper
-- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 Your fortune for today is: One Bell System - it works.
Current thread:
- Interface promiscuity obscurity in Linux Ricardo Branco (Jul 24)
- Re: Interface promiscuity obscurity in Linux Paul Starzetz (Jul 25)
- Re: Interface promiscuity obscurity in Linux Glynn Clements (Jul 25)
- Re: Interface promiscuity obscurity in Linux Frédéric Raynal (Jul 25)
- Re: Interface promiscuity obscurity in Linux Casper Dik (Jul 25)
- Re: Interface promiscuity obscurity in Linux Jim Mellander (Jul 25)
- Re: Interface promiscuity obscurity in Linux Casper Dik (Jul 25)
- Re: Interface promiscuity obscurity in Linux Ademar de Souza Reis Jr. (Jul 25)
- <Possible follow-ups>
- Re: Interface promiscuity obscurity in Linux Rasmus Bøg Hansen (Jul 24)
- Re: Interface promiscuity obscurity in Linux plattner (Jul 24)
- Re: Interface promiscuity obscurity in Linux quentyn (Jul 25)
- Re: Interface promiscuity obscurity in Linux plattner (Jul 24)