Bugtraq mailing list archives
Re: Interface promiscuity obscurity in Linux
From: "Ademar de Souza Reis Jr." <ademar () conectiva com br>
Date: Thu, 25 Jul 2002 09:40:50 -0300
On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote:
This affects Linux 2.2 and 2.4 Using libpcap to put the interface in promiscuous mode, will cause that ifconfig(8) doesn't show it! libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with PACKET_MR_PROMISC to set the interface in promiscuous mode. I notified this to the tcpdump-workers mailing list and the problem is that the setsockopt() sets the promisc flag in a variable that is not the same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the kernel source right now to make this advisory more precise.
I noticed it some time ago and did a little research to discover why this happens. There are some results/discussion in our bugzilla: http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=5201 (I'm sorry some parts of this page are in brazilian portuguese) This subject was already discussed in the linux-kernel mailing list: PACKET_MR_PROMISC doesn't set IFF_PROMISC http://www.uwsg.iu.edu/hypermail/linux/kernel/0101.2/1349.html Misreporting of the PROMISC flag http://www.uwsg.iu.edu/hypermail/linux/kernel/9705.2/0284.html And in the tcpdump-workers list: [tcpdump-workers] concerns about tcpdump http://www.tcpdump.org/lists/workers/2001/01/msg00192.html Re: [tcpdump-workers] concerns about tcpdump http://www.tcpdump.org/lists/workers/2001/01/msg00184.html Transcripting some interesting parts of the message above: ... "This means that only promiscuity requested by SIOCSIFFLAGS will show up in SIOCGIFFLAGS, not promiscuity requested by PACKET_MR_PROMISC." ... "
IFF_PROMISC is not set,
It's not supposed to be set. The correct way to put into promiscuous mode the device to which a PF_PACKET socket is to do a SOL_PACKET/PACKET_ADD_MEMBERSHIP "setsockopt()" call with PACKET_MR_PROMISC as the argument (see the "packet(7)" man page), and that's what libpcap is doing. The old way of directly setting IFF_PROMISC had problems - [...] ... And in other message (same thread): " Just to make things clear: the >= 2.2 kernels have a new way of setting promiscous mode via setsockopt(). We use this sicne a few month in pcap. It has the advantage of thread-safeness. The usage of ioctl() is depreciated. ifconfig doesnt show the flag, b/c kernel filters it out. Dont know why. Administrators should note that they dont see sniffers anymore on >= 2.2 kernels! " Although I think fixing ifconfig would be a good thing(TM), it's considered obsolete. Use the the "ip" utility instead. Cheers. - Ademar -- Ademar de Souza Reis Jr. <ademar () conectiva com br> Conectiva S/A - http://www.conectiva.com ^[:wq!
Current thread:
- Interface promiscuity obscurity in Linux Ricardo Branco (Jul 24)
- Re: Interface promiscuity obscurity in Linux Paul Starzetz (Jul 25)
- Re: Interface promiscuity obscurity in Linux Glynn Clements (Jul 25)
- Re: Interface promiscuity obscurity in Linux Frédéric Raynal (Jul 25)
- Re: Interface promiscuity obscurity in Linux Casper Dik (Jul 25)
- Re: Interface promiscuity obscurity in Linux Jim Mellander (Jul 25)
- Re: Interface promiscuity obscurity in Linux Casper Dik (Jul 25)
- Re: Interface promiscuity obscurity in Linux Ademar de Souza Reis Jr. (Jul 25)
- <Possible follow-ups>
- Re: Interface promiscuity obscurity in Linux Rasmus Bøg Hansen (Jul 24)
- Re: Interface promiscuity obscurity in Linux plattner (Jul 24)
- Re: Interface promiscuity obscurity in Linux quentyn (Jul 25)
- Re: Interface promiscuity obscurity in Linux plattner (Jul 24)