|
Author: green
Date: 21-11-00 01:57
very often i've got this kernel messages:
Nov 21 00:02:48 mega /kernel: ppp0: promiscuous mode enabled
Nov 21 00:02:58 mega /kernel: ppp0: promiscuous mode disabled
Nov 21 00:06:15 mega /kernel: ed0: promiscuous mode enabled
Nov 21 00:06:38 mega /kernel: ed0: promiscuous mode disabled
Nov 21 00:06:49 mega /kernel: ed1: promiscuous mode enabled
Nov 21 00:07:03 mega /kernel: ed1: promiscuous mode disabled
Nov 21 00:07:06 mega /kernel: ppp0: promiscuous mode enabled
Nov 21 00:07:23 mega /kernel: ppp0: promiscuous mode disabled
Nov 21 00:10:23 mega /kernel: ed0: promiscuous mode enabled
Nov 21 00:10:36 mega /kernel: ed0: promiscuous mode disabled
plz help me ?
what this ?
|
|
Reply To This Message
|
|
Author: Dan Langille
Date: 21-11-00 02:54
Promiscuous mode means the card is reading everything that comes to it. Normally, it reads only those packets which are addressed to that card. Promiscuous mode can be useful for various debugging tools, such as tcpdump. Such tools put the card into promiscuous mode in order to read all the network traffic flowing past.
Have you been running tcpdump? Are you the only user on this box? If not, it could, I repeat could be that someone else is running tcpdump, or something similar, in order to sniff your traffic (e.g. for gathering passwords etc).
|
|
Reply To This Message
|
|
Author: green
Date: 21-11-00 14:21
very often i run trafshow
how do you think, kernel enables promiscuous mode then i run trafshow?
|
|
Reply To This Message
|
|
Author: Don Brearley
Date: 21-11-00 18:11
Green,
Yeah chances are, its trafshow that is doing it.
You should run it, and see if that message appears when you run it.
- Don
|
|
Reply To This Message
|
|
Author: Dan Langille
Date: 21-11-00 20:46
I have never used trafshow. But Don's suggestion is good.
On one screen, run tail -f /var/log/messages.
On another screen, run trafshow. See if the messages appear in the first screen.
|
|
Reply To This Message
|
|
Author: Daniel Schrock
Date: 22-11-00 17:38
It is your trafshow. I use it quite a bit. I would worry about it too much if you are the only user on the box, but i would keep an eye on it. Just to make sure your card isn't in promiscuous mode without you putting it in that mode.
Last months issue of SysAdmin had some nice security scripts that run as a cronjob. One of the scripts checks the network interfaces for promiscuous mode and emails you if it finds a problem. They are originally for Sun and Linux but after few path changes and tweaks, they work great in FreeBSD. I set some scripts to run every hour, the rest to run once a day, and then email my cell phone as soon as it finds a problem. Very nice.
ftp://ftp.mfi.com/pub/sysadmin/2000/nov2000.tar.Z
or just go to http://www.sysadminmag.com
|
|
Reply To This Message
|
|
Author: Dan Langille
Date: 22-11-00 19:27
Sounds like <a href="http://freshports.org/port-description.php3?port=2691">logcheck</a>. But AFAIK, logcheck does much more thatn just check for promiscuous mode. It looks through /var/log/messages (for example) and reports anything which appears and isn't on an "ignore" list.
|
|
Reply To This Message
|
|
