Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ifconfig may not correctly show promiscuous mode under linux

From: "John Creegan" <jcreegan () questarweb com>
Date: Fri, 15 Aug 2003 13:10:25 -0500
This is good to know (and definitely where I am at).  Any idea how to
port this info to Solaris 8 on a SUN Ultra 5?  There's no "ip" command
there.


Paul Beltrani wrote: 

This appears to be a common thread/question for snort users but 
it isn't in the FAQ.  In fact the FAQ may be incorrect in 
suggesting people use "ifconfig" to determine promiscuous mode.


A net search shows many people are confused because:

1) They expect snort to put the network interface into promiscuous 
mode.

2) The alerts snort returns imply the interface IS in promiscuous 
mode.

3) They then run ifconfig and it does not show the interface is 
in promiscuous mode.

I found some references that would indicate ifconfig under 
linux does NOT always report the correct state of promiscuous 
mode on an interface. See:
http://marc.theaimsgroup.com/?l=snort-users&m=99249371217700&w=2 
http://www.ussg.iu.edu/hypermail/linux/net/0101.2/0060.html 

FWIW, the "ip" command from the iproute package DOES appear to 
return the correct state of the interface when running snort.



The following output is from a RH9.0 system running the 
2.4.20-19.9 Kernel and using a 3com 509 NIC.

/sbin/ip link show
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast

qlen 100

   link/ether 00:60:97:81:37:9b brd ff:ff:ff:ff:ff:ff



/sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:60:97:81:37:9B
         inet addr:xx.xx.xx.xx  Bcast:xxx.xxx.xxx.xxx 

Mask:xxx.xxx.xxx.xxx

         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:5151010 errors:28 dropped:0 overruns:34 frame:28
         TX packets:1579623 errors:0 dropped:0 overruns:0 carrier:0
         collisions:12141 txqueuelen:100
         RX bytes:491015762 (468.2 Mb)  TX bytes:298061933 (284.2

Mb)

         Interrupt:5 Base address:0x300

Note:
A) "ip" correctly indicates the NIC is in promiscuous mode.
B) "ifconfig" does NOT indicate promiscuous mode

 - Paul Beltrani




This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: