Hallo,

I want to use tcpdump to analyze the NTP traffic on some of my machines. The machines that I want to analyze run HP-UX and linux. To use tcpdump 2 packages are required Libpcap and Tcpdump. I know that tcpdump (libcap?) sets the network interface to promiscuous mode. I have some questions:

1) does the installation itself of libcap/tcpdump set the interface to promiscuous mode mode or does tcpdump set the interface to promiscuous mode when it is started and then it sets back to non promiscuous mode when it is stopped?

2) If the promiscuous mode is activated at installation time, how to deactivate it when I am ready with my analysis? Is it enough to de-install the 2 packages?

3) How to check if the promiscuous mode is activated without installing extra packages? (I do not see anything in the logs (at least on HP-UX) and nothing with dmesg)

4) which are the drawbacks with an active promiscuous mode? I guess higher latency time (?), what about security?, what else?

Most important for me is what happens with the HP-UX machines.

Thanks a lot.

It switches modes when it's run, rather than at install time
The main effect of running in this mode is an increase in network traffic through the card (it's likely to cause a small increase in CPU load too).
If you completely overwhelm the card, you could potentially start dropping packets, inbcluding ones genuinly destined for this server - not very likely to happen with modern hardware though.

No major security concerns but one could make the case that accepting more data in over the NIC increases one's exposure to potential threats. Not exactly a biggie though