Re: Promiscuous ports under Linux
On Thu, 4 May 2017 18:04:02 + (UTC), Grant Edwards wrote: > On 2017-05-04, Peter Pearson wrote: > >> I'm curious to survey all my LAN traffic in various ways, and it seems >> likely that I will see phenomena that I don't understand, and focussing >> in on those phenomena is likely to require more flexible filtering >> than Wireshark can provide. I expect to leave this process running for >> maybe 24 hours at a stretch, maybe longer, with real-time alerts when >> interesting things occur. > > You can libpcap (which is what wireshark uses on Linux) to deal with > the details of capturing the packets and do the analysis in Python. > >> Maybe Wireshark can do everything I'll ever need to do, but it seems >> so complicated, and Python seems so simple . . . > > I've been using pylibpcap for yonks, and have no complaints. > > https://sourceforge.net/projects/pylibpcap/ [snip] Hey, that might do the job. Thanks! -- To email me, substitute nowhere->runbox, invalid->com. -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
On 2017-05-04, Peter Pearson wrote: > I'm curious to survey all my LAN traffic in various ways, and it seems > likely that I will see phenomena that I don't understand, and focussing > in on those phenomena is likely to require more flexible filtering > than Wireshark can provide. I expect to leave this process running for > maybe 24 hours at a stretch, maybe longer, with real-time alerts when > interesting things occur. You can libpcap (which is what wireshark uses on Linux) to deal with the details of capturing the packets and do the analysis in Python. > Maybe Wireshark can do everything I'll ever need to do, but it seems > so complicated, and Python seems so simple . . . I've been using pylibpcap for yonks, and have no complaints. https://sourceforge.net/projects/pylibpcap/ Another advantage of pylibpcap is that you can used it to read files saved by wireshark or tcpdump. -- Grant Edwards grant.b.edwardsYow! Somewhere in DOWNTOWN at BURBANK a prostitute is gmail.comOVERCOOKING a LAMB CHOP!! -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
On Thu, 04 May 2017 10:26:45 GMT, alister wrote: > On Wed, 03 May 2017 23:57:49 +, Peter Pearson wrote: > >> Cobbling together a minimalist ethernet-sniffing program, I was hoping >> to use this simple mechanism for setting the socket to "promiscuous >> mode" (to see all traffic going past, instead of just traffic addressed >> to my machine): >> >> s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) >> >> Unfortunately, it seems that that mechanism is available under Windows >> but not under Linux. Googling around for Linux equivalents, I found >> only very contorted solutions, and concluded that maybe this lacuna >> persists because Linux users find it convenient to invoke promiscuous >> mode from the command line, instead: >> >> $ sudo ip link set eth0 promisc on $ netstat -i# (Verify >> that the P flag is set.) >> >> This somehow fails: my sniffer continues to see only broadcasts, >> but if I run dumpcap at the same time, dumpcap captures lots of traffic. >> >> So my question is now two questions: >> >> . Is it true that going permiscuous under Linux must be somewhat ugly? >>(It's OK if it is, I'll just copy the ugly code and get moving >>again.) >> >> . Why doesn't the command-line "promisc on" work? (Granted, this is >>maybe a Linux question.) >> >> Thanks. > > any particular reason why you wish to re-invent this particular wheel > when wireshark is freely available (& the de-facto tool of choice for > most network engineers) I'm curious to survey all my LAN traffic in various ways, and it seems likely that I will see phenomena that I don't understand, and focussing in on those phenomena is likely to require more flexible filtering than Wireshark can provide. I expect to leave this process running for maybe 24 hours at a stretch, maybe longer, with real-time alerts when interesting things occur. Maybe Wireshark can do everything I'll ever need to do, but it seems so complicated, and Python seems so simple . . . -- To email me, substitute nowhere->runbox, invalid->com. -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
On Thu, 04 May 2017 14:11:04 +0300, Marko Rauhamaa wrote: > alister : > >> On Wed, 03 May 2017 23:57:49 +, Peter Pearson wrote: >> >>> Cobbling together a minimalist ethernet-sniffing program, I was hoping >>> to use this simple mechanism for setting the socket to "promiscuous >>> mode" (to see all traffic going past, instead of just traffic >>> addressed to my machine): >> >> [...] >> >> any particular reason why you wish to re-invent this particular wheel >> when wireshark is freely available (& the de-facto tool of choice for >> most network engineers) > > There are a million plausible reasons. "Just because" is among the > noblest of them. > > Your question has the ring of: Why do you want to compose music when you > can simply turn on the radio? > > > Marko not at all, it was simple curiosity. I have recreated man wheels "just because" as it is a great way to learn but it is important to know that it is probably not the best solution. (likewise if you have heard my guitar playing/karaoke you would agree that turning on the radio is preferred) -- Pereant, inquit, qui ante nos nostra dixerunt. [Confound those who have said our remarks before us.] or [May they perish who have expressed our bright ideas before us.] -- Aelius Donatus -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
alister : > On Wed, 03 May 2017 23:57:49 +, Peter Pearson wrote: > >> Cobbling together a minimalist ethernet-sniffing program, I was >> hoping to use this simple mechanism for setting the socket to >> "promiscuous mode" (to see all traffic going past, instead of just >> traffic addressed to my machine): > > [...] > > any particular reason why you wish to re-invent this particular wheel > when wireshark is freely available (& the de-facto tool of choice for > most network engineers) There are a million plausible reasons. "Just because" is among the noblest of them. Your question has the ring of: Why do you want to compose music when you can simply turn on the radio? Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
On Wed, 03 May 2017 23:57:49 +, Peter Pearson wrote: > Cobbling together a minimalist ethernet-sniffing program, I was hoping > to use this simple mechanism for setting the socket to "promiscuous > mode" (to see all traffic going past, instead of just traffic addressed > to my machine): > > s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) > > Unfortunately, it seems that that mechanism is available under Windows > but not under Linux. Googling around for Linux equivalents, I found > only very contorted solutions, and concluded that maybe this lacuna > persists because Linux users find it convenient to invoke promiscuous > mode from the command line, instead: > > $ sudo ip link set eth0 promisc on $ netstat -i# (Verify > that the P flag is set.) > > This somehow fails: my sniffer continues to see only broadcasts, > but if I run dumpcap at the same time, dumpcap captures lots of traffic. > > So my question is now two questions: > > . Is it true that going permiscuous under Linux must be somewhat ugly? >(It's OK if it is, I'll just copy the ugly code and get moving >again.) > > . Why doesn't the command-line "promisc on" work? (Granted, this is >maybe a Linux question.) > > Thanks. any particular reason why you wish to re-invent this particular wheel when wireshark is freely available (& the de-facto tool of choice for most network engineers) -- Come quickly, I am tasting stars! -- Dom Perignon, upon discovering champagne. -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
Peter Pearson : > Cobbling together a minimalist ethernet-sniffing program, I was hoping > to use this simple mechanism for setting the socket to "promiscuous > mode" (to see all traffic going past, instead of just traffic > addressed to my machine): > > s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) > > Unfortunately, it seems that that mechanism is available under Windows > but not under Linux. Can't remember having done that for years, if ever. However, one place to give you pointers is running: strace tcpdump as root. It reveals all the system calls involved. Marko -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
On Wed, 3 May 2017 18:09:08 -0700, Rob Gaddi wrote: > On 05/03/2017 04:57 PM, Peter Pearson wrote: >> Cobbling together a minimalist ethernet-sniffing program, I was hoping >> to use this simple mechanism for setting the socket to "promiscuous >> mode" (to see all traffic going past, instead of just traffic addressed >> to my machine): >> >> s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) >> >> Unfortunately, it seems that that mechanism is available under Windows >> but not under Linux. Googling around for Linux equivalents, I found >> only very contorted solutions, and concluded that maybe this lacuna >> persists because Linux users find it convenient to invoke promiscuous >> mode from the command line, instead: >> >> $ sudo ip link set eth0 promisc on >> $ netstat -i# (Verify that the P flag is set.) >> >> This somehow fails: my sniffer continues to see only broadcasts, >> but if I run dumpcap at the same time, dumpcap captures lots of traffic. >> >> So my question is now two questions: >> >> . Is it true that going permiscuous under Linux must be somewhat ugly? >>(It's OK if it is, I'll just copy the ugly code and get moving again.) >> >> . Why doesn't the command-line "promisc on" work? (Granted, this is >>maybe a Linux question.) >> >> Thanks. >> > > Tried running it as root? Good question; I should have mentioned: Yes: $ sudo python3 sniff_survey.py -- To email me, substitute nowhere->runbox, invalid->com. -- https://mail.python.org/mailman/listinfo/python-list
Re: Promiscuous ports under Linux
On 05/03/2017 04:57 PM, Peter Pearson wrote: Cobbling together a minimalist ethernet-sniffing program, I was hoping to use this simple mechanism for setting the socket to "promiscuous mode" (to see all traffic going past, instead of just traffic addressed to my machine): s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) Unfortunately, it seems that that mechanism is available under Windows but not under Linux. Googling around for Linux equivalents, I found only very contorted solutions, and concluded that maybe this lacuna persists because Linux users find it convenient to invoke promiscuous mode from the command line, instead: $ sudo ip link set eth0 promisc on $ netstat -i# (Verify that the P flag is set.) This somehow fails: my sniffer continues to see only broadcasts, but if I run dumpcap at the same time, dumpcap captures lots of traffic. So my question is now two questions: . Is it true that going permiscuous under Linux must be somewhat ugly? (It's OK if it is, I'll just copy the ugly code and get moving again.) . Why doesn't the command-line "promisc on" work? (Granted, this is maybe a Linux question.) Thanks. Tried running it as root? -- Rob Gaddi, Highland Technology -- www.highlandtechnology.com Email address domain is currently out of order. See above to fix. -- https://mail.python.org/mailman/listinfo/python-list
Promiscuous ports under Linux
Cobbling together a minimalist ethernet-sniffing program, I was hoping to use this simple mechanism for setting the socket to "promiscuous mode" (to see all traffic going past, instead of just traffic addressed to my machine): s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) Unfortunately, it seems that that mechanism is available under Windows but not under Linux. Googling around for Linux equivalents, I found only very contorted solutions, and concluded that maybe this lacuna persists because Linux users find it convenient to invoke promiscuous mode from the command line, instead: $ sudo ip link set eth0 promisc on $ netstat -i# (Verify that the P flag is set.) This somehow fails: my sniffer continues to see only broadcasts, but if I run dumpcap at the same time, dumpcap captures lots of traffic. So my question is now two questions: . Is it true that going permiscuous under Linux must be somewhat ugly? (It's OK if it is, I'll just copy the ugly code and get moving again.) . Why doesn't the command-line "promisc on" work? (Granted, this is maybe a Linux question.) Thanks. -- To email me, substitute nowhere->runbox, invalid->com. -- https://mail.python.org/mailman/listinfo/python-list
