Re: Interface promiscuity obscurity in Linux
From: Ademar de Souza Reis Jr. (ademar@conectiva.com.br)Date: 07/25/02
- Previous message: Marco van Berkum: "Novell GroupWise 6.0.1 Support Pack 1 Bufferoverflow"
- In reply to: Ricardo Branco: "Interface promiscuity obscurity in Linux"
- Next in thread: Glynn Clements: "Re: Interface promiscuity obscurity in Linux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Jul 2002 09:40:50 -0300 From: "Ademar de Souza Reis Jr." <ademar@conectiva.com.br> To: Ricardo Branco <97-29312@ldc.usb.ve>
On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote:
>
> This affects Linux 2.2 and 2.4
>
> Using libpcap to put the interface in promiscuous mode, will cause that
> ifconfig(8) doesn't show it!
>
> libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
> PACKET_MR_PROMISC to set the interface in promiscuous mode.
>
> I notified this to the tcpdump-workers mailing list and the problem is
> that the setsockopt() sets the promisc flag in a variable that is not the
> same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the
> kernel source right now to make this advisory more precise.
I noticed it some time ago and did a little research to discover why this
happens. There are some results/discussion in our bugzilla:
http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=5201
(I'm sorry some parts of this page are in brazilian portuguese)
This subject was already discussed in the linux-kernel mailing list:
PACKET_MR_PROMISC doesn't set IFF_PROMISC
http://www.uwsg.iu.edu/hypermail/linux/kernel/0101.2/1349.html
Misreporting of the PROMISC flag
http://www.uwsg.iu.edu/hypermail/linux/kernel/9705.2/0284.html
And in the tcpdump-workers list:
[tcpdump-workers] concerns about tcpdump
http://www.tcpdump.org/lists/workers/2001/01/msg00192.html
Re: [tcpdump-workers] concerns about tcpdump
http://www.tcpdump.org/lists/workers/2001/01/msg00184.html
Transcripting some interesting parts of the message above:
...
"This means that only promiscuity requested by SIOCSIFFLAGS will show up
in SIOCGIFFLAGS, not promiscuity requested by PACKET_MR_PROMISC."
...
"
> IFF_PROMISC is not set,
It's not supposed to be set.
The correct way to put into promiscuous mode the device to which a
PF_PACKET socket is to do a SOL_PACKET/PACKET_ADD_MEMBERSHIP
"setsockopt()" call with PACKET_MR_PROMISC as the argument (see the
"packet(7)" man page), and that's what libpcap is doing.
The old way of directly setting IFF_PROMISC had problems - [...]
...
And in other message (same thread):
"
Just to make things clear:
the >= 2.2 kernels have a new way of setting promiscous mode via
setsockopt(). We use this sicne a few month in pcap. It has the advantage
of thread-safeness. The usage of ioctl() is depreciated. ifconfig doesnt
show the flag, b/c kernel filters it out. Dont know why.
Administrators should note that they dont see sniffers anymore on >= 2.2
kernels!
"
Although I think fixing ifconfig would be a good thing(TM), it's considered
obsolete. Use the the "ip" utility instead.
Cheers.
- Ademar
-- Ademar de Souza Reis Jr. <ademar@conectiva.com.br> Conectiva S/A - http://www.conectiva.com^[:wq!
- Previous message: Marco van Berkum: "Novell GroupWise 6.0.1 Support Pack 1 Bufferoverflow"
- In reply to: Ricardo Branco: "Interface promiscuity obscurity in Linux"
- Next in thread: Glynn Clements: "Re: Interface promiscuity obscurity in Linux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
