Bugtraq mailing list archives

Re: Interface promiscuity obscurity in Linux

From: Frédéric Raynal <frederic.raynal () inria fr>
Date: Thu, 25 Jul 2002 08:09:44 +0200


        Hello,

This is a well knwon issue and C. Grenier and I have understood why
very recently. In fact, this due to the changing of the handling of 
promiscuous mode in kernel space.

With kernel 2.0, one had to perform the following to set the interface
to promiscuous mode:
  
  strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
  ioctl(sock, SIOCGIFFLAGS, &ifr);
  ifr.ifr_flags |= IFF_PROMISC;
  ioctl(sock, SIOCSIFFLAGS, &ifr);

The trouble was that the promiscuous mode was handled by a flag.  Each
time a process sets this mode, the flag is set. But if another process
removes this mode, the flag is cleared. Rather bad behavior.

Since kernel 2.2, a processus must ask to enter in a membership of
process (setsockopt(..., PACKET_ADD_MEMBERSHIP,...)) using the
interface in promiscuous mode. A counter is then increased. One a
process of the membership does not need the promiscuous mode anymore,
it drops the membership (setsockopt(..., PACKET_DROP_MEMBERSHIP, ...))
the counter is decreased, and promiscuous mode is disabled as soon as
the counter is 0. 

  struct packet_mreq mr;
  ...
  memset(&amp;mr,0,sizeof(mr));
  mr.mr_ifindex = ifr.ifr_ifindex;
  mr.mr_type =  PACKET_MR_PROMISC;
  setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, (char *)&mr, sizeof(mr));



The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by
ioctl(SIOCSIFFLAGS).


--
Frederic RAYNAL, Ph.D.
http://minimum.inria.fr/~raynal
Chief Editor of M.I.S.C.
Multi-Systems & Internet Security Cookbook



On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote:


This affects Linux 2.2 and 2.4

Using libpcap to put the interface in promiscuous mode, will cause that
ifconfig(8) doesn't show it!

libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
PACKET_MR_PROMISC to set the interface in promiscuous mode.

I notified this to the tcpdump-workers mailing list and the problem is
that the setsockopt() sets the promisc flag in a variable that is not the
same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the
kernel source right now to make this advisory more precise.

Well, sorry for my not-so-good english
Enjoy

Current thread:

Interface promiscuity obscurity in Linux Ricardo Branco (Jul 24)
- Re: Interface promiscuity obscurity in Linux Paul Starzetz (Jul 25)
- Re: Interface promiscuity obscurity in Linux Glynn Clements (Jul 25)
- Re: Interface promiscuity obscurity in Linux Frédéric Raynal (Jul 25)
  - Re: Interface promiscuity obscurity in Linux Casper Dik (Jul 25)
    - Re: Interface promiscuity obscurity in Linux Jim Mellander (Jul 25)
- Re: Interface promiscuity obscurity in Linux Ademar de Souza Reis Jr. (Jul 25)
- <Possible follow-ups>
- Re: Interface promiscuity obscurity in Linux Rasmus Bøg Hansen (Jul 24)
  - Re: Interface promiscuity obscurity in Linux plattner (Jul 24)
    - Re: Interface promiscuity obscurity in Linux quentyn (Jul 25)