Sean Estabrooks writes: > On Sat, 27 Dec 2003 22:33:00 -0600 (CST) > Robert Brown <eli@xxxxxxxxxxxxxxxx> wrote: > > > > Yes, and I have similar symptoms on other boxes, although the only > > other multi-homed boxes are the firewalls. I see the problem even > > when I run the above tcpdump cammand line from my worksation. > > > > I think promiscuous mode is broken. I can set it with ifconfig, and > > ifconfig reports that it is set, but I do not think it is working > > anymore, not since the upgrade to the 2.4.20-27.9 kernel. > > Forgive me if you already answered this question earlier in the thread: > Are you able to use promiscuous mode with an older kernel on the exact > same network? It sure sounds like you are trying to sniff while plugged > into a network switch rather than a hub. A switch routes the traffic > intelligently so you won't see anything but broadcasts and traffic > destined for your machine directly. Are you sure you're using a hub in > so that you can snoop all traffic? If not you'll need a managed switch > which allows configuring a port as a snooping-port which isn't a feature > on many low end switches. Yes, I have been using this setup for several years now. I recently upgraded the lan and dmz hubs to 10/100baseT units, and upgraded all the nics that could not do 100baseT to speed up the nightly backup runs mostly. I am well aware of the difference between a switch and a hub, and between half and full duplex modes. I researched carefully before buying the 10/100baseT hub, even contacting the manufacturer's tech support phone line to verify that indeed this device was a true hub, and not a switch. I require a half-duplex hubbed network to sniff all packets. As such, I have nailed up the nics to 100baseT half duplex operation in the /etc/modules.conf file. The whole thing was working fine with the 2.4.20-24.9 kernel, but fails now that I have moved to the 2.4.20-27.9 kernel. I am contemplating investing in some cheap 5-port switches and using one of them on each dmz machine as isolators, so that if an intruder is able to get in and install a sniffer, he still won't see anything more that traffic for that one machine. I have done this before, and it works very well. This way, I get the isolation of a switch together with the surveillance capabilities of the hub. > > How, other than by sniffing with tcpdump, can I verify this? > > Snort can listen itself without tcpdump, check out the man page for the > relevent switch settings. Yes, but it uses the same Berkeley packet filter and libpcap library as tcpdump, so it doesn't really proove anything. I was wondering if there was some way I could determine if the actual hardware is being put into promiscuous mode. There ought to be a red led on the nic for this! Don't I wish... -- -------- "And there came a writing to him from Elijah" [2Ch 21:12] -------- R. J. Brown III rj@xxxxxxxxxxx http://www.elilabs.com/~rj voice 859 567-7311 Elijah Laboratories Inc. P. O. Box 166, Warsaw KY 41095 fax 859 567-7311 ----- M o d e l i n g t h e M e t h o d s o f t h e M i n d ------ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
