RHEL 7.3 (vM): Promiscuous mode auto enable/disable, why?

tprabhu1983 · 02-20-2017, 03:18 AM

Objective: How to eradicate this “promiscuous mode auto-enable/disable” permanently and avoid seeing these messages in /var/log/messages: kernel: device eth0 entered promiscuous mode & kernel: device eth0 left promiscuous mode

I've referred below links before posting this thread:
http://www.linuxquestions.org/questi...s-mode-220940/
https://access.redhat.com/solutions/57310
https://access.redhat.com/solutions/26464

Platform: VMware Virtual Machine + RHEL 7.3
Issue Description:
Promiscuous mode auto-enable/disable and triggers the notification to dmesg and in-turn it feeds to /etc/syslog.conf
Our monitoring tool picks this alert from dmesg and also from /var/log/messages, but Red Hat is providing a solution to suppress these under /var/log/messages, and not under dmesg.
Monitoring tool is picking up this alert from dmesg and generating tickets.
If you ask me why this promiscuous mode being enabled and what was the cause of it, actually with the output of “ip link show eth0” promisc mode is not enabled, but we still see the monitoring ticket for the same.

Red Hat’s Reply:

1. is this information alert ?
Yes. This is an information alert.
2. if i add below line in /etc/rsyslog.conf. Ticket generation will be stopped ?
:msg, contains, "promiscuous mode" ~
The rsyslog filter will stop the message entering into syslog
3. do i have to restart rsyslog service after adding this ?
Yes. service restart will be required to reload the new configuration.
4. it means it should not make entry in dmesg itself?
dmesg is just a way to read the kernel ring buffer, the kernel buffer is also sent to syslog, anything in dmesg will also appear in syslog. There is no way to stop it in dmesg.

NM04 · 02-20-2017, 09:30 AM

Hi,
First thing (by your description) is that you haven't executed anything command to stop it. Check all you interfaces by executing "ifconfig -all", this will also tell you the interface which is running in promiscuous mode. To stop it you should try "ifconfig 'interface name' -promisc" to disable promiscuous mode. The interface name could be either "eth0" for LAN or "wlan0" for wireless.

Also check for any sniffers running on the system, there is a possibility that sniffer is in operation, which is using the interface in promiscuous mode. If so, stop the sniffer. In case, need more help you are welcome.

Cheers!!

tprabhu1983 · 02-20-2017, 10:25 PM

@NM04,
Thanks for your reply.
I am having the output wherein it is customers confidential data which cannot be posted here.
However, we have verified it and it has been confirmed that no PROMISC flag in the ifconfig -all output.

As far as a sniffer concern, the engineer is not available today to check on that.
Q # If sniffers were enabled, whether I should be seeing the "promisc" with the "ifconfig -a"? If you say yes, then I have not seen the PROMISC flag from the output.

Even if the sniffers were enabled, that would have been a human initiated one, but we are facing this issue without enabling them that too on multiple servers.