I'm running fedora core 3 and have set up a second network card to run in promiscuous mode, so that I can run some intrusion detection software. Before I run any fancy software, I'm trying to see traffic using tcpdump, but I have a problem: I can only see broadcast traffic, and not any addressed traffic. The addressed (non-broadcast) traffic is definitely getting to the IDS NIC as it is connected to a simple hub!
My understanding is that the best way to have an IDS NIC is to remove its IP address and run it in promiscuous mode, which is how I have it set up.
This is the output of ifconfig:
[root@islay ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:BF:B1:69:56
inet addr:192.168.1.109 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:bfff:feb1:6956/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:569896 errors:0 dropped:0 overruns:0 frame:0
TX packets:334424 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:768748970 (733.1 MiB) TX bytes:34785772 (33.1 MiB)
Interrupt:10 Base address:0x4000
eth1 Link encap:Ethernet HWaddr 00:0E:A6:2C:87
inet6 addr: fe80::20e:a6ff:fe2c:87d4/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:773 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:46380 (45.2 KiB) TX bytes:686 (686.0 b)
Interrupt:5 Base address:0x8800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1753 errors:0 dropped:0 overruns:0 frame:0
TX packets:1753 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:2120823 (2.0 MiB) TX bytes:2120823 (2.0 MiB)
eth1 is my IDS NIC. Note that it doesn't have an IP address assigned and that it is in promisc mode, as desired.
However, when I run tcpdump on this interface, all I can see is broadcast traffic:
[root@islay ~]# tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:45:58.053899 fe80::20e:a6ff:fe2c:87d4 > ff02::2: icmp6: router solicitation
14:46:10.908914 arp who-has 18.104.22.168 (5e:6e:30:01:88:0b) tell 22.214.171.124
14:46:13.886463 arp who-has 126.96.36.199 (01:24:11:5f:00:35) tell 188.8.131.52
14:46:25.357072 arp who-has 184.108.40.206 (c1:58:00:00:ce:95) tell 220.127.116.11
14:47:40.643888 arp who-has 18.104.22.168 (58:86:16:c9:00:50) tell 22.214.171.124
I know for a fact that a lot of traffic is going by the IDS NIC, but none of it is seen by tcpdump, despite promiscuous mode. Any ideas?
The network card is a new one: an SMC EZ 10/100 1244TXv2.0.