LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-12-2005, 08:57 AM   #1
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Rep: Reputation: 0
Question promiscuous mode not working (hub) - can only see broadcast traffic


I'm running fedora core 3 and have set up a second network card to run in promiscuous mode, so that I can run some intrusion detection software. Before I run any fancy software, I'm trying to see traffic using tcpdump, but I have a problem: I can only see broadcast traffic, and not any addressed traffic. The addressed (non-broadcast) traffic is definitely getting to the IDS NIC as it is connected to a simple hub!

My understanding is that the best way to have an IDS NIC is to remove its IP address and run it in promiscuous mode, which is how I have it set up.
This is the output of ifconfig:

[root@islay ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:BF:B1:69:56
inet addr:192.168.1.109 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:bfff:feb1:6956/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:569896 errors:0 dropped:0 overruns:0 frame:0
TX packets:334424 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:768748970 (733.1 MiB) TX bytes:34785772 (33.1 MiB)
Interrupt:10 Base address:0x4000

eth1 Link encap:Ethernet HWaddr 00:0E:A6:2C:874
inet6 addr: fe80::20e:a6ff:fe2c:87d4/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:773 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46380 (45.2 KiB) TX bytes:686 (686.0 b)
Interrupt:5 Base address:0x8800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1753 errors:0 dropped:0 overruns:0 frame:0
TX packets:1753 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2120823 (2.0 MiB) TX bytes:2120823 (2.0 MiB)


eth1 is my IDS NIC. Note that it doesn't have an IP address assigned and that it is in promisc mode, as desired.
However, when I run tcpdump on this interface, all I can see is broadcast traffic:

[root@islay ~]# tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:45:58.053899 fe80::20e:a6ff:fe2c:87d4 > ff02::2: icmp6: router solicitation
14:46:10.908914 arp who-has 82.108.100.144 (5e:6e:30:01:88:0b) tell 82.108.100.145
14:46:13.886463 arp who-has 82.108.100.144 (01:24:11:5f:00:35) tell 82.108.100.145
14:46:25.357072 arp who-has 82.108.100.150 (c1:58:00:00:ce:95) tell 82.108.100.145
14:47:40.643888 arp who-has 82.108.100.144 (58:86:16:c9:00:50) tell 82.108.100.145

I know for a fact that a lot of traffic is going by the IDS NIC, but none of it is seen by tcpdump, despite promiscuous mode. Any ideas?
The network card is a new one: an SMC EZ 10/100 1244TXv2.0.

thanks
alex
 
Old 05-12-2005, 09:38 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Are you SURE it's only a dumb hub? There are some products labelled as hubs that actually do have some switching circuitry inside.
 
Old 05-12-2005, 10:36 AM   #3
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
Good point. I'm pretty sure it is indeed just a hub.. it's the Linksys 10/100 5-port hub (model EFAH05W).

At one point I connected another computer directly to the IDS machine (via crossover cable) and tried pinging random addresses and did other traffic causing things from the other machine, and again, the IDS didn't see any of this traffic, but it did see some broadcast traffic from the otehr machine (netbios requests). So I'm pretty certain that the problem is the NIC not seeing the traffic somehow (or perhaps a driver?)

thanks for your reply!
alex
 
Old 05-12-2005, 10:49 AM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Running ifconfig, does it show the interface to be in promisc mode?
 
Old 05-12-2005, 10:54 AM   #5
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
Cool

Hi Matir

see my original post:

>th1 Link encap:Ethernet HWaddr 00:0E:A6:2C:874
>net6 addr: fe80::20e:a6ff:fe2c:87d4/64 Scope:Link
>UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
^^^^^^^


thanks
alex
 
Old 05-12-2005, 01:43 PM   #6
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Oops, sorry, I somehow missed that. Try giving that interface an IP and pinging it and seeing if it can at least see that traffic.
 
Old 05-13-2005, 04:44 AM   #7
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
Wink

Ah! Good idea there! I gave eth1 a new unused static IP addr, and ran tcpdump -vv -i eth1 while pinging it, and guess what.... I can't see the pings! Only some broadcast traffic. (The machine doing the pinging is getting replies btw so the ping is getting through)
So the problem isn't promiscuous mode, it's something else.... tcpdump can't even see traffic addressed directly to that NIC!

ta,
alex
 
Old 05-13-2005, 04:54 AM   #8
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
Btw, when I was doing tcpdump on eth1 with a static address assigned, I also ran tcpdump with prmiscuous mode *disabled* (-p option) just to see if that made any difference: it didn't, I still couldn't see my pings going to that interface.

alex
 
Old 05-13-2005, 06:41 AM   #9
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
A little note: I am running tcpdump as root; I know that running it as non-superuser can cause problems.
 
Old 05-13-2005, 07:22 AM   #10
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
Exclamation

and some more info... running tcpdump on eth0 works fine, I can see a whole load of traffic. Also have tried two different physical NICs for eth1 with same problem that I can't see non-broadcast traffic...
 
Old 05-13-2005, 10:05 PM   #11
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I am wondering if this could somehow be related to the driver or chipset on eth1. What kind of cards have you tried? And what kind of card is eth0?
 
Old 05-16-2005, 04:22 AM   #12
lardus
LQ Newbie
 
Registered: Sep 2003
Posts: 8

Original Poster
Rep: Reputation: 0
I don't have access to the machine currently, will check what hardware eth1 is shortly.
However, earlier on I tried reversing the network cards - so that eth0 was the new network card, and eth1 was the old card, and then I had the problem still that tcpdump wouldn't work on eth1 and then *would* work on eth0, which is the new hardware. So that seems to indicate that it's not the hardware or chipset or driver which is at issue, just that there is something that makes eth0 work for tcpdump and eth1 not. Something to do with the order?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nVidia nForce 4 on Asus A8N-SLI and Athlon 64 3000+ working only in promiscuous mode jandac3472989 Linux - Networking 4 04-29-2006 05:39 PM
Iptables in promiscuous mode Barzan Linux - Networking 3 10-23-2005 07:24 AM
Promiscuous Mode: Yes or No? AvatarofVirgo Linux - Security 3 02-22-2005 07:22 PM
promiscuous mode question zsoltrenyi Linux - Networking 2 01-25-2005 05:57 AM
eth0 promiscuous mode? emetib Linux - Networking 9 08-26-2004 06:51 PM


All times are GMT -5. The time now is 05:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration