tcpdump and promiscuous mode

Catia Lavalle · ‎02-25-2008

Hallo,

I want to use tcpdump to analyze the NTP traffic on 2 of my machines. The machines that I want to analyze are HP-UX B.11.11 and HP-UX B.11.23. To use tcpdump 2 packages are required Libpcap and Tcpdump. I know that tcpdump (libcap?) sets the network interface to promiscuous mode. I have some questions:

1) does the installation itself of libcap/tcpdump set the interface to promiscuous mode mode or does tcpdump set the interface to promiscuous mode when it is started and then it sets back to non promiscuous mode when it is stopped?

2) If the promiscuous mode is activated at installation time, how to deactivate it when I am ready with my analysis? Is it enough to de-install the 2 packages?

3) How to check if the promiscuous mode is activated without installing extra packages? (I do not see anything in /var/adm/syslog/syslog.log and nothing with dmesg)

4) which are the drawbacks with an active promiscuous mode? I guess higher latency time (?), what about security?, what else?

Thanks a lot.

radkol · ‎03-02-2008

Hi,

tcpdump does set your interface to promiscuous mode only when started to capture traffic on it.
You should be able to check it with ifconfig lanXX , there is PROMISC or something similar.

Robert-Jan Goossens · ‎03-02-2008

Hi Catia,

I will try to answer your last question 4.

The largest drawback would be the law (de) about the use of the promiscuous mode inside scaning tools.

I would advice you to use the official HP supported network analyzing tool Wireshark. Wireshark can be downloaded for free from below link (11iv1+11iv2+11iv3).

http://h20392.www2.hp.com/portal/swdepot/searchProducts.do

man page
http://www.wireshark.org/docs/man-pages/wireshark.html

--
-p
Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which Wireshark is running, broadcast traffic, and multicast traffic to addresses received by that machine.
--

Best regards,
Robert-Jan

Bill Hassell · ‎03-02-2008

Since you are monitoring a specific protocol (NTP), you won't need promiscuous mode at all. The only time you turn on promiscuous is to monitor everything regardless of protocol and source or destination. And if your LAN card is connected to a switch, it won't see any traffic that isn't addressed for your machine. For that, you would have to use a true hub for all the machines. So promiscuous mode isn't needed at all.

Also note that NTP is a very low overhead protocol -- for a single system, syncing with NTP only occurs once every 64 seconds with less than 100 bytes in the packet. If your system acts as an NTP server, then you'll see the incoming requests (also at a similar slow rate per machine). So don't be surprised when it takes a long time to collect a lot of NTP data.

Bill Hassell, sysadmin

Catia Lavalle · ‎03-02-2008

First thanks for your answers.

1) I know that tcpdump is a "sniffer" so if I would use it in the open Internet or in an "alien" network I would have problem, although I do not think I would have any problem in using it for sniffing my own system. Any way this is not what I am interested in, actually the whole "promiscuous mode" is disturbing me.

2) I know I can avoid to start the promiscuous mode within tcpdump with the -p option the question was: are you sure that the HP-UX implementation of tcpdump is such that "only at tcpdump runtime without -p flag is the promiscuous mode active"? In linux I am sure it is the case (it shows the start promiscuous mode, stop promiscuous mode in the /var/log/messages), but I have found no-one which was able to guarantee this for HP-UX

3) I know quite a lot about NTP and I know that it will take long to capture all the packages I want, but everything is under control in that sense.

4) Overall the main question is rather general and independent from tcpdump: "how do I see on HP-UX (.11, .23) if the promiscuous mode is active or not?" No logs in syslog, nothing in dmesg, the promiscuous mode is not shown with ifconfig lanxx, following the forum I have seen that there is a tool ifstatus-4.0 which should show exactly what I want (written for HP and expecually solaris people who have exactly the same problem that I have), but it is for 32 bit, no way. I saw that a tool is available in the .31 version which will substitute lanscan which does show the promiscuous mode too but ... I am looking for an answer for .11 and .23.

So in summary:

a) Are you sure that the HP-UX implementation of libpcap and tcpdump are such that only at tcpdump runtime without the -p flag the promiscuous mode is active

b) Pretty much in general: is there a way to check in HP-UX .11 , .23 if the promiscuous mode is active?

Any idea? Thanks again.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

tcpdump and promiscuous mode

tcpdump and promiscuous mode

Re: tcpdump and promiscuous mode

Re: tcpdump and promiscuous mode

Re: tcpdump and promiscuous mode

Re: tcpdump and promiscuous mode