- make sure /var/log/messages is the log the messages arrive in, else choose other log,
- install latest Chkrootkit(.org), run chkrootkit to be on the safe side, find location of "ifpromisc" binary
then as root run:
Code:
tail -f /var/log/messages|grep -qie "promisc" && /path/to/ifpromisc
It will die after the first hit and show a message "interface_name: PF_PACKET(/path/name)"
where "/path/name" is a binary who puts the interface in promisc mode.