just running tcpdump makes promisc mode?

Discussion:

Monty Ree

2004-06-23 07:21:21 UTC

Hello, all.

I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.

"device eth0 entered promiscuous mode"

and when I stop tcpdump or snort, the dmesg is seen like below.

"device eth0 left promiscuous mode"

But I can't find PROMISC message when I execute ifconfig while tcpdump or
snort.

Why the result of the dmesg and ifconfig is different?

Thanks in advance.

_________________________________________________________________
MSN Messenger�� ¶��λ�� ִ� ģ�� ȭ�� .
http://messenger.msn.co.kr

John Madden

2004-06-24 13:11:45 UTC

Permalink

Post by Monty Ree
But I can't find PROMISC message when I execute ifconfig while tcpdump or
snort.

ifconfig is notorious for not knowing reporting the promisc status correctly.
Use "ip link show" instead.

John

--
# John Madden ***@freelists.org
# MailandFiles.com: Your mail, your files: http://www.mailandfiles.com
# FreeLists: Free mailing lists for all: http://www.freelists.org
# Linux, Apache, Perl and C: All the best things in life are free!

Fred Barnes

2004-06-24 13:37:14 UTC

Permalink

Hi Monty,

That's tcpdump (or rather libpcap I guess) putting the interface into
promiscuous mode -- i.e. it'll receive all packets it sees on the wire,
regardless of IP/netmask/etc. Different cards may vary in their
handling of this.

Post by Monty Ree
But I can't find PROMISC message when I execute ifconfig while tcpdump or
snort.
Why the result of the dmesg and ifconfig is different?

Because ifconfig configures interfaces. It has no need to receive all
packets on the wire. dmesg displays the kernel message buffer; it has
nothing to do with configuring interfaces or tcpdump really.

Regards,

-- Fred

Public

2004-06-24 13:15:03 UTC

Permalink

...

ifconfig on Linux does not always report the correct state of
promiscuous mode. See:
http://marc.theaimsgroup.com/?l=snort-users&m=99249371217700&w=2
http://www.ussg.iu.edu/hypermail/linux/net/0101.2/0060.html

One solution is to use the "ip" command instead.
e.g. "/sbin/ip link show"

I believe chkrootkit may also have a tool to show the state of a network
interface. It is available at: http://www.chkrootkit.org/

- Paul Beltrani

Eric Paynter

2004-06-24 17:11:50 UTC

Permalink

Post by Monty Ree
I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.
"device eth0 entered promiscuous mode"
and when I stop tcpdump or snort, the dmesg is seen like below.
"device eth0 left promiscuous mode"
But I can't find PROMISC message when I execute ifconfig while tcpdump or
snort.
Why the result of the dmesg and ifconfig is different?

I don't know why your ifconfig is not reporting promisc, but if you don't
want promisc:

$ man tcpdump
[...]
-p Don't put the interface into promiscuous mode.
Note that the interface might be in promiscuous
mode for some other reason; hence, `-p' cannot be
used as an abbreviation for `ether host {local-hw-
addr} or ether broadcast'.

-Eric

--
arctic bears - affordable email and name services @yourdomain.com
http://www.arcticbears.com

Craig Van Tassle

2004-06-24 14:17:58 UTC

Permalink

As I recall, they use IOCTL() to change the device to Promiscuous mode.
That may be the reason why they are not showing as promiscuous when you
see the results of an ifconfig.

I may be wrong though. I don't have my Stevens book on me at the moment.

Craig

Post by Monty Ree
Hello, all.
I have operated redhat linux 7.x whcih kernel is 2.4.26. When I run
tcpdump or snort, the dmesg is seen like below.
"device eth0 entered promiscuous mode"
and when I stop tcpdump or snort, the dmesg is seen like below.
"device eth0 left promiscuous mode"
But I can't find PROMISC message when I execute ifconfig while tcpdump
or snort.
Why the result of the dmesg and ifconfig is different?
Thanks in advance.
_________________________________________________________________
MSN Messenger를 통해 온라인상에 있는 친구와 대화를 나누세요.
http://messenger.msn.co.kr

--
Craig Van Tassle
Ideal Systems, INC
Network Administrator
Toll-Free:(888)308-9888
Mobile: (224)659-0796
Email: ***@idealsystems.com

Skander Ben Mansour

2004-06-24 16:47:20 UTC

Permalink

Hi Monty,

This might be a sign that your system has been compromised and a
rootkit installed.

Some rootkits contain sniffers that set the network interface card into
promiscuous mode. The objective is to capture passwords or other
interesting traffic on the network of the compromised host.

How is that relevant to your situation?

In order not to be detected, the rootkit subverts the output of
ifconfig not to show the PROMISC flag on the sniffing interface.
(The rootkit actually replaces the ifconfig program by a trojan, along
with many many other common system programs like ps, ls, top,...)

This sometimes results in ifconfig not displaying the promiscuous state
of an interface that was legitimately set in promiscuous mode by the
administrator (e.g. when running tcpdump or snort).

An example of such rootkit is the T0rn rootkit described on the website
below:
http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html

Good luck in your investigations.

Best Regards,

Skander Ben Mansour, CISSP

-----Original Message-----
From: Monty Ree [mailto:***@hotmail.com]
Sent: Wednesday, June 23, 2004 9:21 AM
To: focus-***@securityfocus.com
Subject: just running tcpdump makes promisc mode?

Hello, all.

I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.

"device eth0 entered promiscuous mode"

and when I stop tcpdump or snort, the dmesg is seen like below.

"device eth0 left promiscuous mode"

But I can't find PROMISC message when I execute ifconfig while tcpdump
or
snort.

Why the result of the dmesg and ifconfig is different?

Thanks in advance.

_________________________________________________________________
MSN Messenger�� ¶��λ�� ִ� ģ�� ȭ�� .
http://messenger.msn.co.kr

Marco Monicelli

2004-06-29 06:41:14 UTC

Permalink

$)C

Very right indeed.

Just two words to say that modern rootkit (pardon me my friend but Tornkit
is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc
which have the same dimension of the original binaries and are normally
based on a master-slave technique which strongly needs ifconfig not to show
the promisc mode set by the admin.

At this regard, I will suggest you to google and search for Superkit or
Suckit (the first one coming up on the l33t scene) which are also open
source rootkits!!

Anyway....Skander's reflections are very right and I congratulate with him
for his good analysis.

Good work guys!

Ciao

Marco Monicelli
MARCEGAGLIA SPA
Sales Department - Automotive
Tel. +39 0376 685369
Fax. +39 0376 685625
mail: ***@marcegaglia.com

"Skander Ben
Mansour" To: "'Monty Ree'" <***@hotmail.com>, <focus-***@securityfocus.com>
<***@benm cc:
ansour.net> Subject: RE: just running tcpdump makes promisc mode?

24/06/2004 18.47

Hi Monty,

This might be a sign that your system has been compromised and a
rootkit installed.

Some rootkits contain sniffers that set the network interface card into
promiscuous mode. The objective is to capture passwords or other
interesting traffic on the network of the compromised host.

How is that relevant to your situation?

In order not to be detected, the rootkit subverts the output of
ifconfig not to show the PROMISC flag on the sniffing interface.
(The rootkit actually replaces the ifconfig program by a trojan, along
with many many other common system programs like ps, ls, top,...)

This sometimes results in ifconfig not displaying the promiscuous state
of an interface that was legitimately set in promiscuous mode by the
administrator (e.g. when running tcpdump or snort).

An example of such rootkit is the T0rn rootkit described on the website
below:
http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html

Good luck in your investigations.

Best Regards,

Skander Ben Mansour, CISSP

-----Original Message-----
From: Monty Ree [mailto:***@hotmail.com]
Sent: Wednesday, June 23, 2004 9:21 AM
To: focus-***@securityfocus.com
Subject: just running tcpdump makes promisc mode?

Hello, all.

I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.

"device eth0 entered promiscuous mode"

and when I stop tcpdump or snort, the dmesg is seen like below.

"device eth0 left promiscuous mode"

But I can't find PROMISC message when I execute ifconfig while tcpdump
or
snort.

Why the result of the dmesg and ifconfig is different?

Thanks in advance.

_________________________________________________________________
MSN Messenger8& EkGX ?***@N;s?! @V4B D#18?M 4kH-8& 3*4)<<?d.
http://messenger.msn.co.kr

Ranjeet Shetye

2004-06-30 01:49:29 UTC

Permalink

Since I didn't see a solution mentioned, here goes:

try chkrootkit @ http://www.chkrootkit.org/

Its at version 0.43 currently. It will check your computer for a rootkit
and is pretty useful.

Also, might be a good idea to run clamav - then rebuild the machine. you
cannot trust ANY binary on a rooted machine.

Post by Marco Monicelli
Very right indeed.
Just two words to say that modern rootkit (pardon me my friend but Tornkit
is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc
which have the same dimension of the original binaries and are normally
based on a master-slave technique which strongly needs ifconfig not to show
the promisc mode set by the admin.
At this regard, I will suggest you to google and search for Superkit or
Suckit (the first one coming up on the l33t scene) which are also open
source rootkits!!
Anyway....Skander's reflections are very right and I congratulate with him
for his good analysis.
Good work guys!
Ciao
Marco Monicelli
MARCEGAGLIA SPA
Sales Department - Automotive
Tel. +39 0376 685369
Fax. +39 0376 685625
"Skander Ben
ansour.net> Subject: RE: just running tcpdump makes promisc mode?
24/06/2004 18.47
Hi Monty,
This might be a sign that your system has been compromised and a
rootkit installed.
Some rootkits contain sniffers that set the network interface card into
promiscuous mode. The objective is to capture passwords or other
interesting traffic on the network of the compromised host.
How is that relevant to your situation?
In order not to be detected, the rootkit subverts the output of
ifconfig not to show the PROMISC flag on the sniffing interface.
(The rootkit actually replaces the ifconfig program by a trojan, along
with many many other common system programs like ps, ls, top,...)
This sometimes results in ifconfig not displaying the promiscuous state
of an interface that was legitimately set in promiscuous mode by the
administrator (e.g. when running tcpdump or snort).
An example of such rootkit is the T0rn rootkit described on the website
http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html
Good luck in your investigations.
Best Regards,
Skander Ben Mansour, CISSP
-----Original Message-----
Sent: Wednesday, June 23, 2004 9:21 AM
Subject: just running tcpdump makes promisc mode?
Hello, all.
I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.
"device eth0 entered promiscuous mode"
and when I stop tcpdump or snort, the dmesg is seen like below.
"device eth0 left promiscuous mode"
But I can't find PROMISC message when I execute ifconfig while tcpdump
or
snort.
Why the result of the dmesg and ifconfig is different?
Thanks in advance.
_________________________________________________________________
http://messenger.msn.co.kr

--
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/

The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.

Rodrigo Campos

2004-07-02 01:39:51 UTC

Permalink

By default tcpdump puts the interface in promiscuous mode, it sets the
third argument to *pcap_open_live to 1:

pcap_t *pcap_open_live(const char *device, int snaplen,
int promisc, int to_ms, char *errbuf)

You can override this behaviour by using the -p option when running
tcpdump, but in non-promiscuous mode you'll be able to capture packets
sent only to the host.

2004-07-01 08:39:56 UTC

Permalink

If the machine is fresh install it might be the problem with tcpdump it self. I read about something about ifconfig broken in PROMISC department due to some changes in the kernel.

Use ip (/usr/sbin/ip) to check your interface status. It should match with the ones in dmesg and /var/log/messages

Rootkit - possible, but need more test - eg. check binaries md5hash

Am

Post by Skander Ben Mansour
-----Original Message-----
Sent: 29 June 2004 07:41
To: Skander Ben Mansour
Subject: RE: just running tcpdump makes promisc mode?
Very right indeed.
Just two words to say that modern rootkit (pardon me my friend
but Tornkit is pretty old nowadays) now has trojaned binaries
like ps, ls, ifconfig etc which have the same dimension of the
original binaries and are normally based on a master-slave
technique which strongly needs ifconfig not to show the
promisc mode set by the admin.
At this regard, I will suggest you to google and search for
Superkit or Suckit (the first one coming up on the l33t scene)
which are also open source rootkits!!
Anyway....Skander's reflections are very right and I
congratulate with him for his good analysis.
Good work guys!
Ciao
Marco Monicelli
MARCEGAGLIA SPA
Sales Department - Automotive
Tel. +39 0376 685369
Fax. +39 0376 685625
"Skander Ben
just running tcpdump makes promisc mode?
24/06/2004 18.47
Hi Monty,
This might be a sign that your system has been compromised and
a rootkit installed.
Some rootkits contain sniffers that set the network interface
card into promiscuous mode. The objective is to capture
passwords or other interesting traffic on the network of the
compromised host.
How is that relevant to your situation?
In order not to be detected, the rootkit subverts the output
of ifconfig not to show the PROMISC flag on the sniffing
interface. (The rootkit actually replaces the ifconfig program
by a trojan, along with many many other common system programs
like ps, ls, top,...)
This sometimes results in ifconfig not displaying the
promiscuous state of an interface that was legitimately set in
promiscuous mode by the administrator (e.g. when running
tcpdump or snort).
An example of such rootkit is the T0rn rootkit described on the website
below: http://www.sophos.com/virusinfo/analyses/trojt0rnkit.html
Good luck in your investigations.
Best Regards,
Skander Ben Mansour, CISSP
-----Original Message-----
Sent: Wednesday, June 23, 2004 9:21 AM
Subject: just running tcpdump makes promisc mode?
Hello, all.
I have operated redhat linux 7.x whcih kernel is 2.4.26.
When I run tcpdump or snort, the dmesg is seen like below.
"device eth0 entered promiscuous mode"
and when I stop tcpdump or snort, the dmesg is seen like below.
"device eth0 left promiscuous mode"
But I can't find PROMISC message when I execute ifconfig while
tcpdump or snort.
Why the result of the dmesg and ifconfig is different?
Thanks in advance.
_________________________________________________________________
MSN Messenger�� ¶��λ�� ִ� ģ�� ȭ�� . http://messenger.msn.co.kr
______________________________________________________________________
This email has been scanned for viruses by the Email
Protection Agency For more information please visit
http://www.epagency.net
______________________________________________________________________

DISCLAIMER:
**********************************************************************
This email is from Regent Sixth Form College, but expresses the views
of the sender and not necessarily the views of the college. The email
and any files transmitted with it are confidential to the intended
recipient at the e-mail address to which it has been addressed.
It may not be disclosed or used by any other than that addressee,
nor may it be copied in any way. If received in error,
please notify ***@regent-college.ac.uk quoting the name of
the sender.

Please note that we cannot accept any responsibility for any
transmitted viruses. It is, therefore, your responsibility to scan
attachments (if any).
**********************************************************************