ifconfig donot report the promiscous mode when ethereal is running

nkd · 07-29-2008, 04:41 AM

I am using fedora8.
When I use the command ifconfig -a , the ethernet adapter donot display the promiscous mode, even if ethereal is running.
however, if I put the card in promiscous mode by giving the command
ifconfig eth0 promisc
thereafter, the ifconfig -a command reports the promiscous mode correctly.
why so ? AFAIK ethereal is running in promiscous mode and so the ifconfig -a command should report that

thanks in advance
nishith

unSpawn · 07-29-2008, 06:11 AM

In short there's two "types" of promiscuous mode and two methods of determining it. The "old way" (IFF_PROMISC) can be detected by running 'ifconfig' or 'ifpromisc', the "new way" (MR_PACKET_PROMISC, libpcap-based apps) can be detected running 'ip' (iproute package). The shortcomings of ifconfig-based detection in Tiger, LSAT and Rootkit Hunter was countered and patched in 2003 and any recent version of Chkrootkits 'ifpromisc' will have PF_PACKET-based detection.

nkd · 07-29-2008, 12:32 PM

thanks for your response
The command ip link show eth0 on my machine gives the following output :-
[root@localhost ~]# ip link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1b:24:d4:1b:92 brd ff:ff:ff:ff:ff:ff
Ethereal is running at the time the command was executed.
However, after I put the card explicitly in promiscous mode using ifconfgi eth0 promisc command ,
the PROMISC flag shows up as expected.
what next ?
nishith

unSpawn · 07-29-2008, 03:29 PM

Trying all scenarios again, what does

Code:

showSniffer() { inodes=($(awk '/[0-9]/ {print $9}' /proc/net/packet)); 
 inodes=${inodes[*]}; inodes=${inodes// /|}; for p in $pids; do 
 /usr/bin/readlink -f /proc/"$p"/exe; done; }

return during each?