Mombu the GNU Linux Forum sponsored links

Go Back   Mombu the GNU Linux Forum > GNU_Linux > devide eth0 entered promiscuous mode== what does this mean?
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 17th March 21:25
unruh
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


I am getting huge bunches of messages in /var/log/syslog. Here is a small
sample

Mar 26 18:26:20 info kernel: device eth0 entered promiscuous mode
Mar 26 18:26:20 info kernel: audit(1174958780.196:6506): dev=eth0 prom=256
old_prom=0 auid=4294967295
Mar 26 18:26:22 info kernel: device eth0 left promiscuous mode
Mar 26 18:26:22 info kernel: audit(1174958782.200:6507): dev=eth0 prom=0
old_prom=256 auid=4294967295
Mar 26 18:26:22 info kernel: device eth0 entered promiscuous mode
Mar 26 18:26:22 info kernel: audit(1174958782.208:6508): dev=eth0 prom=256
old_prom=0 auid=4294967295
Mar 26 18:26:24 info kernel: device eth0 left promiscuous mode
Mar 26 18:26:24 info kernel: audit(1174958784.224:6509): dev=eth0 prom=0
old_prom=256 auid=4294967295
Mar 26 18:26:24 info kernel: device eth0 entered promiscuous mode
Mar 26 18:26:24 info kernel: audit(1174958784.236:6510): dev=eth0 prom=256
old_prom=0 auid=4294967295


What does this mean? I know that when one runs tcpdump the ethernet card is
put into promiscuous mode. But I am not doing that. And is the number after
the utc seconds ( eg :6508) i in the audit() the process IP that is doing this?
  Reply With Quote


  sponsored links


2 17th March 21:25
bit twister
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


What is the value from

echo security=$SECURE_LEVEL

and results from
cat /var/lib/msec/security.conf
  Reply With Quote
3 17th March 21:25
bit twister
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


I would also like to see contents from

cat /etc/security/msec/security.conf
  Reply With Quote
4 17th March 21:25
unruh
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


Bit Twister <BitTwister@mouse-potato.com> writes:

Level 2

CHECK_OPEN_PORT=no
CHECK_UNOWNED=no
CHECK_SECURITY=yes
CHECK_PASSWD=no
CHECK_SUID_ROOT=yes
MAIL_EMPTY_CONTENT=no
CHECK_PROMISC=no
TTY_WARN=no
MAIL_WARN=no
CHECK_PERMS=no
CHECK_SGID=yes
SYSLOG_WARN=yes
CHECK_SHADOW=no
CHKROOTKIT_CHECK=no
RPM_CHECK=no
CHECK_WRITABLE=yes
CHECK_SUID_MD5=yes
  Reply With Quote
5 17th March 21:25
bit twister
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


My Level 3 settings-----------------. | V


Ok, I have no idea where your =eth0 audit line comes from. Then again
I am running Mandriva 2007. You failed to provide which release you
are running.


cd /var/log
# zcat syslog.1.gz | grep audit
Mar 18 09:42:35 wb kernel: audit: initializing netlink socket (disabled)
Mar 18 09:42:35 wb kernel: audit(1174228936.304:1): initialized
Mar 21 17:34:32 wb kernel: audit: initializing netlink socket (disabled)
Mar 21 17:34:32 wb kernel: audit(1174516442.988:1): initialized
Mar 23 08:46:26 wb kernel: audit: initializing netlink socket (disabled)
Mar 23 08:46:26 wb kernel: audit(1174657576.968:1): initialized

Your device eth0 entering promiscuous mode, is looking kinda bad.

I run security level 3 and do not see your messages in syslog or messages
on 2006 and 2007.

You may want to get an rpm check of your install with
rpm -Va > /tmp/verify
Now do a
grep '^..[5?]' /tmp/verify
for list of changes.

man rpm to understand codes.
  Reply With Quote
6 17th March 22:52
unruh
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


Bit Twister <BitTwister@mouse-potato.com> writes:

Sorry Mandriva 2007.0

Yes, that switching into promiscuous mode looks very suspicious. No idea
what is going on there.

Yup am doing so again. I have found nothing in the past.
  Reply With Quote
7 17th March 22:53
unruh
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


OOps, I do apologize. I did set up a program to run tcpdump every 5 min,
and then completely forgot about it. Finally found it again.
Sorry to anyone who spent any time thinking about this and thanks to
BitTwister for his comments.


Unruh <unruh-spam@physics.ubc.ca> writes:
  Reply With Quote
8 17th March 22:53
bit twister
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


I assume you are not running wireshark/ethereal or some such app.
  Reply With Quote
9 17th March 22:53
blinky the shark
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


Wirehshark. I like the name.

--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html
  Reply With Quote
10 17th March 22:53
dnoyeb
External User
 
Posts: 1
Default devide eth0 entered promiscuous mode== what does this mean?


LOL. Nice icon.
  Reply With Quote


  sponsored links


Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666