02-25-2008
tcpdump and promiscuous mode (on Linux and HP-UX)
Hallo,
I want to use tcpdump to analyze the NTP traffic on some of my machines. The machines that I want to analyze run HP-UX and linux. To use tcpdump 2 packages are required Libpcap and Tcpdump. I know that tcpdump (libcap?) sets the network interface to promiscuous mode. I have some questions:
1) does the installation itself of libcap/tcpdump set the interface to promiscuous mode mode or does tcpdump set the interface to promiscuous mode when it is started and then it sets back to non promiscuous mode when it is stopped?
2) If the promiscuous mode is activated at installation time, how to deactivate it when I am ready with my analysis? Is it enough to de-install the 2 packages?
3) How to check if the promiscuous mode is activated without installing extra packages? (I do not see anything in the logs (at least on HP-UX) and nothing with dmesg)
4) which are the drawbacks with an active promiscuous mode? I guess higher latency time (?), what about security?, what else?
Most important for me is what happens with the HP-UX machines.
Thanks a lot.
5 More Discussions You Might Find Interesting
1. IP Networking
/* SCO OpenServer 5 */
anyone know an effective way to tell what machines, if any, are running in promiscuous mode??
e0- (1 Reply)
Discussion started by: LowOrderBit
1 Replies
2. SuSE
Hi All,
I used to have my suse linux(VM) server in graphic mode but not anymore since morning. I cant rolback since i loose somuch work. Any idea how to it back to normal. Thanks (6 Replies)
Discussion started by: s_linux
6 Replies
3. AIX
Hi Guys,
What do I need to do to set an physical adapter to promiscuous mode?
The networkport is already spanned/mirrored.
Is this also possible when there is an virtual nic (through vios) configured?
regards,
Randy (7 Replies)
Discussion started by: raba
7 Replies
4. UNIX for Dummies Questions & Answers
Right now I have a computer that I want to use as the monitor for my network. It's currently running Windows 7, and so as I understand it the NIC won't monitor all the traffic on the network. So my question is, if I install Linux on this computer will I be able to force the NIC card into... (1 Reply)
Discussion started by: iJeydon
1 Replies
5. Red Hat
Hi all,
I am using a Linux VM.
Once the node boots up, I am able to access it and it is able to ping its default gateway.
At that time, the config is;
eth1 Link encap:Ethernet HWaddr 00:50:56:01:01:FB
inet addr:142.133.174.246 Bcast:142.133.175.255 ... (1 Reply)
Discussion started by: Junaid Subhani
1 Replies
LEARN ABOUT X11R4
pcap_activate
PCAP_ACTIVATE(3PCAP) PCAP_ACTIVATE(3PCAP)
NAME
pcap_activate - activate a capture handle
SYNOPSIS
#include <pcap/pcap.h>
int pcap_activate(pcap_t *p);
DESCRIPTION
pcap_activate() is used to activate a packet capture handle to look at packets on the network, with the options that were set on the handle
being in effect.
RETURN VALUE
pcap_activate() returns 0 on success without warnings, PCAP_WARNING_PROMISC_NOTSUP on success on a device that doesn't support promiscuous
mode if promiscuous mode was requested, PCAP_WARNING_TSTAMP_TYPE_NOTSUP on success if the time stamp type specified in a previous
pcap_set_tstamp_type() call isn't supported by the capture source (the time stamp type is left as the default), PCAP_WARNING on success
with any other warning, PCAP_ERROR_ACTIVATED if the handle has already been activated, PCAP_ERROR_NO_SUCH_DEVICE if the capture source
specified when the handle was created doesn't exist, PCAP_ERROR_PERM_DENIED if the process doesn't have permission to open the capture
source, PCAP_ERROR_PROMISC_PERM_DENIED if the process has permission to open the capture source but doesn't have permission to put it into
promiscuous mode, PCAP_ERROR_RFMON_NOTSUP if monitor mode was specified but the capture source doesn't support monitor mode,
PCAP_ERROR_IFACE_NOT_UP if the capture source is not up, and PCAP_ERROR if another error occurred. If PCAP_WARNING or PCAP_ERROR is
returned, pcap_geterr() or pcap_perror() may be called with p as an argument to fetch or display a message describing the warning or error.
If PCAP_WARNING_PROMISC_NOTSUP, PCAP_ERROR_NO_SUCH_DEVICE, or PCAP_ERROR_PERM_DENIED is returned, pcap_geterr() or pcap_perror() may be
called with p as an argument to fetch or display an message giving additional details about the problem that might be useful for debugging
the problem if it's unexpected.
SEE ALSO
pcap(3PCAP)
5 April 2008 PCAP_ACTIVATE(3PCAP)