On Mon, 14 Apr 1997, Shawn Ramsey wrote:
> > > I just got in to work this morning and saw this on my terminal:
> >
> > >
> > > Apr 13 15:06:43 temp1 /kernal: ed0: promiscuous mode enabled
> > >
> > > What does it mean?
> > >
> >
> > Just that. :)
> >
> > It means this interface is now recieving all packets, and the kernel
> > decides what to do with them :)
> >
> > Usually its caused by people running 'tcpdump' .. however it COULD be
> > packet-sniffer programs. Do you have the bpfilter compiled into your
> > kernel?
>
> I get the same thing with trafshow, which uses bpfilter.
Yes, any program which needs to see all data on the network
instead of only data addresses to the localhost puts the ethernet
interface into promiscuous mode. As you mentioned this includes tools
such as tcpdump, trafshow, lanstat and anything which uses libpcap.
These programs are legit when used for legit purposes.
My point was that promiscuous mode can be a real security
nightmare if people have access to it who should not. Software such as
the password sniffing processes which are part of RootKit, a common
hacker/cracker's toolkit, uses promiscuous mode. You should not blindly
ignore these messages if you do not know who is running them. Establish
that promiscuous mode was being used by an "authorized" person.
cheers,
Adrian
--
adrian@virginia.edu ---->>>>| Support your local programmer,
System Administrator --->>>| STOP Software Patent Abuses NOW!
NVL, NIIMS and Telemedicine Labs -->>| For an application and information
Member: League for Programming Freedom ->| see: http://www.lpf.org/