On Fri, 14 Sep 2001 15:00:21 PDT, "Sean 'Shaleh' Perry" writes: > >On 14-Sep-2001 Rino Mardo wrote:
>> "I'm checking out snort, a network intrusion detection system. I >> noticed that when I start the snort daemon to listen on eth0 (my NIC >> connected to the Internet), the interface enters promiscuous mode. I know >> what promiscuous mode is, but I'm wondering what the impacts of the >> device's being on promiscuous mode will be. >The NIC will be working a little more because it reacts to every packet on the >wire, even ones it would usually not be interested in. This will likely mean >a little more OS/CPU work as well. "a little"? On a reasonably busy LAN (and, of course, with equipment which hands you all the packets[0]) your system will have *much* *much* more to do. Especially when doing filtering and logging dropped packets... ka:/home/waldner# uptime 12:08am up 55 days, 10:48, 3 users, load average: 0.00, 0.00, 0.00 ka:/home/waldner# ifconfig eth0 promisc ka:/home/waldner# uptime 12:13am up 55 days, 10:53, 3 users, load average: 2.45, 1.10, 0.70 ka:/home/waldner# ifconfig eth0 -promisc ka:/home/waldner# uptime 12:23am up 55 days, 11:03, 3 users, load average: 0.12, 0.40, 0.17 Ok, I´m getting ~ 9.2 MBit/s[1] worth of traffic while in promiscous mode, whereas ~ 40 Kbit/s when not. 0: most switches won´t. I still don´t know how most cisco-switches get to know that an attached NIC enters promiscous mode... 1: 10 MBit/s-ethernet on a 10/100-switch populated by mostly 100 MBit/s-cards and -clients. cheers, &rw -- -- Those who think they know it all are -- very annoying to those of us who do. ----
