On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote: > > This affects Linux 2.2 and 2.4 > > Using libpcap to put the interface in promiscuous mode, will cause that > ifconfig(8) doesn't show it! > > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with > PACKET_MR_PROMISC to set the interface in promiscuous mode. > > I notified this to the tcpdump-workers mailing list and the problem is > that the setsockopt() sets the promisc flag in a variable that is not the > same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the > kernel source right now to make this advisory more precise. I noticed it some time ago and did a little research to discover why this happens. There are some results/discussion in our bugzilla: http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=5201 (I'm sorry some parts of this page are in brazilian portuguese) This subject was already discussed in the linux-kernel mailing list: PACKET_MR_PROMISC doesn't set IFF_PROMISC http://www.uwsg.iu.edu/hypermail/linux/kernel/0101.2/1349.html Misreporting of the PROMISC flag http://www.uwsg.iu.edu/hypermail/linux/kernel/9705.2/0284.html And in the tcpdump-workers list: [tcpdump-workers] concerns about tcpdump http://www.tcpdump.org/lists/workers/2001/01/msg00192.html Re: [tcpdump-workers] concerns about tcpdump http://www.tcpdump.org/lists/workers/2001/01/msg00184.html Transcripting some interesting parts of the message above: ... "This means that only promiscuity requested by SIOCSIFFLAGS will show up in SIOCGIFFLAGS, not promiscuity requested by PACKET_MR_PROMISC." ... " > IFF_PROMISC is not set, It's not supposed to be set. The correct way to put into promiscuous mode the device to which a PF_PACKET socket is to do a SOL_PACKET/PACKET_ADD_MEMBERSHIP "setsockopt()" call with PACKET_MR_PROMISC as the argument (see the "packet(7)" man page), and that's what libpcap is doing. The old way of directly setting IFF_PROMISC had problems - [...] ... And in other message (same thread): " Just to make things clear: the >= 2.2 kernels have a new way of setting promiscous mode via setsockopt(). We use this sicne a few month in pcap. It has the advantage of thread-safeness. The usage of ioctl() is depreciated. ifconfig doesnt show the flag, b/c kernel filters it out. Dont know why. Administrators should note that they dont see sniffers anymore on >= 2.2 kernels! " Although I think fixing ifconfig would be a good thing(TM), it's considered obsolete. Use the the "ip" utility instead. Cheers. - Ademar -- Ademar de Souza Reis Jr. <ademarat_private> Conectiva S/A - http://www.conectiva.com ^[:wq!
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 10:20:41 PDT