Re: promiscuous eth0
On Mon, 5 Mar 2001, Jaan Sarv wrote: Also, paranoid network administrators might be a little upset by it, since Linux sends out a frame indicating it is switching into (or out of) promiscuous mode. This is possible evidence that you're running a sniffer of some kind (such as snort). Hi, How can I recognize such frames/packets? I know this isn't very effective method when trying to discover sniffers, but worth a shot. Is there a way to disable those frames/packets? Jaan a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the "promscuous mode" packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
On Mon, 5 Mar 2001, Jaan Sarv wrote: Also, paranoid network administrators might be a little upset by it, since Linux sends out a frame indicating it is switching into (or out of) promiscuous mode. This is possible evidence that you're running a sniffer of some kind (such as snort). Hi, How can I recognize such frames/packets? I know this isn't very effective method when trying to discover sniffers, but worth a shot. Is there a way to disable those frames/packets? Jaan a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the promscuous mode packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex.
Re: promiscuous eth0
This is really goofy. But I've been able to (at least in my case) narrow the problem down to using Xircom cards. The 3Com card that I use in my other Debian laptop works great (switching between the two demonstrates this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus as well). If I switch the Xircom to promiscuous mode, ping the gateway, and then switch back, everything is great. Until I switch it into promiscuous, though, no traffic occurs. The really weird thing is that I *do* get enough traffic through to allow DHCP configuration on startup. Using a static IP address works (although I'm hijacking an address in the DHCP field.. can't wait 'till the guy in charge finds out...) At 06:37 PM 3/7/2001 -0800, you wrote: On Mon, 5 Mar 2001, Jaan Sarv wrote: Also, paranoid network administrators might be a little upset by it, since Linux sends out a frame indicating it is switching into (or out of) promiscuous mode. This is possible evidence that you're running a sniffer of some kind (such as snort). Hi, How can I recognize such frames/packets? I know this isn't very effective method when trying to discover sniffers, but worth a shot. Is there a way to disable those frames/packets? Jaan a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the promscuous mode packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: promiscuous eth0
On Mon, Mar 05, 2001 at 09:51:07AM -0800, Jeff Coppock wrote: Hi, Turning on Multicast works. I like this better than turning on promiscuous. I need to figure out why this isn't turning on automagically at startup. If multicast is not set in the kernel, will that cause this? Makes sense to me. Depending on your NIC, multicast might be implemented by running in promisc mode, since some NICs can't filter multicast packets, so the kernel has to get them all and do the filtering itself. If you want to test this, run watch -n1 cat /proc/interrupts while you aren't doing anything with the network. See if your card is generating interrupts when there is network traffic that isn't to or from you (and isn't broadcast.) If it is, then the hardware is in promiscuous mode. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
Also, paranoid network administrators might be a little upset by it, since Linux sends out a frame indicating it is switching into (or out of) promiscuous mode. This is possible evidence that you're running a sniffer of some kind (such as snort). Hi, How can I recognize such frames/packets? I know this isn't very effective method when trying to discover sniffers, but worth a shot. Is there a way to disable those frames/packets? Jaan a bit paranoid :)
Re: promiscuous eth0
Hi, Turning on Multicast works. I like this better than turning on promiscuous. I need to figure out why this isn't turning on automagically at startup. If multicast is not set in the kernel, will that cause this? Makes sense to me. jc On Fri, Mar 02, 2001 at 10:01:06PM +0100, Kristian F. H?gh wrote: Hi Jeff. My pcmcia netcard also don't work when i switch on my laptop. When i type ifconfig it prints: UP BROADCAST RUNNING then I enable multicast (ifconfig eth0 multicast) It works and ifconfig prints UP BROADCAST RUNNING MULTICAST Kristian F. Høgh. Jeff Coppock wrote: I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc
Re: promiscuous eth0
On Mon, Mar 05, 2001 at 09:51:07AM -0800, Jeff Coppock wrote: Hi, Turning on Multicast works. I like this better than turning on promiscuous. I need to figure out why this isn't turning on automagically at startup. If multicast is not set in the kernel, will that cause this? Makes sense to me. Depending on your NIC, multicast might be implemented by running in promisc mode, since some NICs can't filter multicast packets, so the kernel has to get them all and do the filtering itself. If you want to test this, run watch -n1 cat /proc/interrupts while you aren't doing anything with the network. See if your card is generating interrupts when there is network traffic that isn't to or from you (and isn't broadcast.) If it is, then the hardware is in promiscuous mode. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: promiscuous eth0
- Original Message - From: Jeff Coppock [EMAIL PROTECTED] To: debian security list debian-security@lists.debian.org Sent: Friday, March 02, 2001 8:05 PM Subject: promiscuous eth0 I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. The command : ifconfig eth0 -promisc ; remove promiscuous mode to enable it it's : ifconfig eth0 promisc I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
Snort by default sets your interface card to promiscuous mode. You can verify this by looking at 'ifconfig' output. eth0 Link encap:Ethernet HWaddr 00:E0:7D:79:01:25 inet addr:XX.XX.XX.XX Bcast:255.255.255.255 Mask:255.255.254.0 UP BROADCAST RUNNING PROMISC MTU:1500 Metric:1 RX packets:1882801 errors:0 dropped:0 overruns:0 frame:0 TX packets:1704205 errors:8 dropped:0 overruns:0 carrier:16 collisions:7247 txqueuelen:100 Interrupt:10 Base address:0xe000 UP BROADCAST RUNNING ||[PROMISC]|| etc... If you don't want snort running in promisc mode you can set this with the -p option. Another way of verifying your interface is in promisc mode is to look at your /var/log/messages file for kernel message Mar 3 04:07:06 kid_natas kernel: device eth0 entered promiscuous mode Mar 3 04:07:15 kid_natas kernel: device eth0 left promiscuous mode cheers xbud [EMAIL PROTECTED] [EMAIL PROTECTED]
promiscuous eth0
I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
Hi Jeff. My pcmcia netcard also don't work when i switch on my laptop. When i type ifconfig it prints: UP BROADCAST RUNNING then I enable multicast (ifconfig eth0 multicast) It works and ifconfig prints UP BROADCAST RUNNING MULTICAST Kristian F. Hgh. Jeff Coppock wrote: I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
promiscuous eth0
I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc
Re: promiscuous eth0
Jeff, It can potentially slow your machine down somewhat, as now the kernel has to handle each and every frame transmitted on the network eth0 is attached to, rather than only the ones addressed to your machine and broadcasts. Quite a lot of load if your system isn't addressed much on a high-traffic LAN. Also, paranoid network administrators might be a little upset by it, since Linux sends out a frame indicating it is switching into (or out of) promiscuous mode. This is possible evidence that you're running a sniffer of some kind (such as snort). It seems quite strange that your PCMCIA network card doesn't function properly unless promiscuous mode is enabled. This is not normal behavior, and should be investigated as a technical difficulty. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CMCC/IT d- s:+ a16 C++()$ UL$ P--- L$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)+ PE-(--) Y++ PGP t+++ !5 X-- R++ tv(+) b+(++) DI(+) D++ G+++ e-- h! !r y+++ --END GEEK CODE BLOCK-- On Fri, 2 Mar 2001, Jeff Coppock wrote: I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
Hi Jeff. My pcmcia netcard also don't work when i switch on my laptop. When i type ifconfig it prints: UP BROADCAST RUNNING then I enable multicast (ifconfig eth0 multicast) It works and ifconfig prints UP BROADCAST RUNNING MULTICAST Kristian F. Høgh. Jeff Coppock wrote: I recently install snort on my laptop to check it out and now my pcmcia network card will pass IP only when snort is running (daemon mode or not), or I have to put my network card in promiscuous mode [#ifconfig eth0 -promisc]. I can't find any configuration that is obvious to me that would cause this, but I'm an intermediate linux user. Any suggestions on where to look and what to look for? Also, are what problems might using promiscuous mode cause? thanks, jc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]