Date: Tue, 15 Apr 1997 23:43:27 -0400 (EDT) From: "Adrian T. Filipi-Martin" <atf3r@cs.virginia.edu> To: Shawn Ramsey <shawn@luke.cpl.net> Cc: freebsd-questions@freebsd.org Subject: Re: ed0 promiscuous mode? Message-ID: <Pine.SUN.3.90.970415233559.4685H-100000@stretch.cs.Virginia.edu> In-Reply-To: <Pine.BSF.3.95.970414124425.5873A-100000@luke.cpl.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 14 Apr 1997, Shawn Ramsey wrote: > > > I just got in to work this morning and saw this on my terminal: > > > > > > > > Apr 13 15:06:43 temp1 /kernal: ed0: promiscuous mode enabled > > > > > > What does it mean? > > > > > > > Just that. :) > > > > It means this interface is now recieving all packets, and the kernel > > decides what to do with them :) > > > > Usually its caused by people running 'tcpdump' .. however it COULD be > > packet-sniffer programs. Do you have the bpfilter compiled into your > > kernel? > > I get the same thing with trafshow, which uses bpfilter. Yes, any program which needs to see all data on the network instead of only data addresses to the localhost puts the ethernet interface into promiscuous mode. As you mentioned this includes tools such as tcpdump, trafshow, lanstat and anything which uses libpcap. These programs are legit when used for legit purposes. My point was that promiscuous mode can be a real security nightmare if people have access to it who should not. Software such as the password sniffing processes which are part of RootKit, a common hacker/cracker's toolkit, uses promiscuous mode. You should not blindly ignore these messages if you do not know who is running them. Establish that promiscuous mode was being used by an "authorized" person. cheers, Adrian -- adrian@virginia.edu ---->>>>| Support your local programmer, System Administrator --->>>| STOP Software Patent Abuses NOW! NVL, NIIMS and Telemedicine Labs -->>| For an application and information Member: League for Programming Freedom ->| see: http://www.lpf.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.3.90.970415233559.4685H-100000>