Snort mailing list archives
Promiscuous mode
From: "John Creegan" <jcreegan () questarweb com>
Date: Thu, 14 Aug 2003 10:00:21 -0500
I'm reading what appears to be somewhat conflicting or at least inconclusive stuff. In the archives I see statements such as "When snort comes up it puts the NIC in promiscuous mode" + "You can check that with ifconfig", etc... I'm running snort 2.0.1 on Solaris 8 on a 64-bit sun5. We've compiled for 32-bit. I've got 2 NICs: hme0 and hme1. hme0 allows IPv6 over IPv4, and is the sniffer interface. hme1 is the management interface. hme0 is on a hub which is fed by the firewall so I can see all the packets coming in from the firewall. (I know I'm losing full-duplex capabilities, but this is considered a testbed, and is the first install of snort in the company). Using ACID, I'm seeing traffic from all over the network (not just packets destined for the sniffer IP address), which tells me that the card is in some way in promiscuous mode. I also read that libpcap lifts ALL the packets off the NIC, which suggests to me that even when ifconfig does not report that the sniffer interface is in promiscuous mode that I'm getting all the packets anyway, a conclusion apparently supported by what I'm seeing out of ACID. It also doesn't seem to matter whether the sniffer interface is up or down, also supportive of what libpcap is supposed to do. I'm thinking that "brings the interface up in promiscuous mode" is a bit of a misnomer. That appears to be the effect because of libpcap. I'm thinking that "libpcap hands the IP stack all the packets off the sniffer interface as if it were in promiscuous mode" is more accurate. I think all is well, but I'd like to hear a definitive "yes" so I can get onto some serious rule management. Thanks! This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Promiscuous mode John Creegan (Aug 14)
- Re: Promiscuous mode Matt Kettler (Aug 14)
- <Possible follow-ups>
- Re: Promiscuous mode John Creegan (Aug 19)