Received: (at submit) by bugs.debian.org; 17 Mar 2001 20:04:13 +0000 From ssahmed@pathcom.com Sat Mar 17 14:04:13 2001 Return-path: Received: from femail2.rdc1.on.home.com [24.2.9.89] by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 14eMvs-0003nM-00; Sat, 17 Mar 2001 14:04:12 -0600 Received: from viper ([24.43.121.67]) by femail2.rdc1.on.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010317200352.MKUQ29886.femail2.rdc1.on.home.com@viper> for ; Sat, 17 Mar 2001 12:03:52 -0800 Received: from viper.earth (localhost [127.0.0.1]) by viper (Postfix) with ESMTP id 779B61602E for ; Sat, 17 Mar 2001 15:13:49 -0500 (EST) Date: Sat, 17 Mar 2001 15:13:49 -0500 X-Mailer: 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid (via feedmail 9-beta-7 I); VM 6.92 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15027.50556.948282.705791@viper.earth> From: S.Salman Ahmed To: submit@bugs.debian.org Subject: ifconfig doesn't report PROMISCuous status of network interface Reply-To: ssahmed@pathcom.com X-No-Archive: Yes X-Operating-System: Linux viper 2.4.2 i686 X-Organization: Salman Ahmed Software & Consulting X-Disclaimer: I didn't do it, little green aliens wrote this email Delivered-To: submit@bugs.debian.org Package: net-tools Version: 1.58-2 Distribution: Sid @viper:[/home/ssahmed/News/Pan] cat /etc/debian_version testing/unstable Running a sniffer like tcpdump and/or snort, ifconfig doesn't report my ethernet interfaces as being in PROMISCuous mode. However, the dmesg buffer and /var/log/kern.log both report the ethernet interfaces as being switched to promiscuous mode (and when I stop the sniffer(s), dmesg and /var/log/kern.log report that the network interface has indeed left promiscuous mode). Tested with kernel 2.4.2, 2.4.1, and 2.2.18 on two updated sid systems. On one system, the NIC is a D-LINK 530TX+ using the 8139too.c ethernet driver compiled into the kernel. On the other system (my firewall), the two NICS are: eth0: Sohoware NDC 10/100 using the tulip.c driver eth1: D-Link 530TX+ using the 8139too.c driver Same behaviour of ifconfig (fails to report the promiscuous status of the network interfaces) on the firewall system even with the Sohoware NIC that uses the tulip driver. However, using the tools from the iproute package I can see the promiscuous state of an interface: ip link show eth0 this correctly reports the network interface as being in promisuous mode when either tcpdump or snort is running while ifconfig reports that the network interface isn't. Also, changing the promiscuous state of the interface using ifconfig reports the status correctly: ie ifconfig eth0 promisc (or ifconfig eth0 -promisc) I have already verified that my systems haven't been compromised (debsums all check out). Recompiled the 2.4.2 kernel without loadable module support to rule out the possibility of the Knark rootkit, the behaviour of ifconfig still persists. Please also see related discussion thread on debian-security: http://lists.debian.org/debian-security-0103/msg00207.html Here is a report from another user experiencing the same behaviour of ifconfig that I have described: http://lists.debian.org/debian-security-0103/msg00224.html Thanks. -- Salman Ahmed ssahmed AT pathcom DOT com