Results 1 to 9 of 9

Thread: Can't set promiscucus mode on interface

  1. #1

    Default Can't set promiscucus mode on interface

    I am trying to configure promiscuous mode for ethernet interfaces via sysconfig files but it doesn't work.

    ifcfg files -
    Code:
    [Tue Sep 29 21:40:42 root@apsis /etc/sysconfig/network] 
    # cat ifcfg-eth1
    BOOTPROTO='static'
    STARTMODE='auto'
    IPADDR='192.168.0.200/24'
    ETHTOOL_OPTIONS='-K rx tx sg tso gso gro off speed 1000 duplex full autoneg off'
    PROMISC='yes'
    
    [Tue Sep 29 21:40:53 root@apsis /etc/sysconfig/network] 
    # cat ifcfg-eth2
    BOOTPROTO='none'
    STARTMODE='auto'
    IPADDR='0.0.0.0'
    ETHTOOL_OPTIONS='-K rx tx sg tso ufo gso gro lro off -G rx 4096 speed 1000 duplex full autoneg off'
    PROMISC='yes'
    
    [Tue Sep 29 21:40:55 root@apsis /etc/sysconfig/network] 
    # cat ifcfg-eth3
    BOOTPROTO='none'
    STARTMODE='auto'
    IPADDR='0.0.0.0'
    ETHTOOL_OPTIONS='-K rx tx sg tso ufo gso gro lro off -G rx 4096 speed 1000 duplex full autoneg off'
    PROMISC='yes'
    interfaces -
    Code:
    [Tue Sep 29 21:11:53 root@apsis /usr/local/src] 
    # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
    2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
        link/ether c6:af:fd:9a:d1:78 brd ff:ff:ff:ff:ff:ff
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 74:d0:2b:2b:1a:42 brd ff:ff:ff:ff:ff:ff
        inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1
           valid_lft forever preferred_lft forever
    4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:1a:64:92:13:18 brd ff:ff:ff:ff:ff:ff
    5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:1a:64:92:13:19 brd ff:ff:ff:ff:ff:ff
    I can create a systemd service file and set promiscuous with /usr/sbin/ip but I will prefer doing this with ifcfg files. Please help.

  2. #2
    Join Date
    Sep 2012
    Posts
    5,910

    Default Re: Can't set promiscucus mode on interface

    Quote Originally Posted by coldboot View Post
    I am trying to configure promiscuous mode for ethernet interfaces via sysconfig files but it doesn't work.
    What made you think it would work? Please show documentation or manual page that describes this parameter.

  3. #3

    Default Re: Can't set promiscucus mode on interface

    Quote Originally Posted by arvidjaar View Post
    What made you think it would work? Please show documentation or manual page that describes this parameter.
    Checked man page before, it isn't there. Stumbled upon this thread https://forums.opensuse.org/showthre...13#post2893813 on this forum.

  4. #4
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    3,370

    Question Re: Can't set promiscucus mode on interface

    Quote Originally Posted by coldboot View Post
    I am trying to configure promiscuous mode for ethernet interfaces via sysconfig files but it doesn't work.
    Why?

    If your Use Case is “Wireshark” then:
    • Those users who need to use Wireshark to gather network information, have to be members of the “wireshark” group …
    • Those users who only have to analyse Wireshark traces, should not be members of the “wireshark” group – for security reasons …
    • It isn't necessary that, the user “root” be used for gathering Wireshark traces …

  5. #5

    Default Re: Can't set promiscucus mode on interface

    Quote Originally Posted by dcurtisfra View Post
    Why?

    If your Use Case is “Wireshark” then:
    • Those users who need to use Wireshark to gather network information, have to be members of the “wireshark” group …
    • Those users who only have to analyse Wireshark traces, should not be members of the “wireshark” group – for security reasons …
    • It isn't necessary that, the user “root” be used for gathering Wireshark traces …
    I need PROMISCUOUS mode for setting up zeek-af_packet-plugin and also to run suricata in af_packet mode. I created a service file for promiscuous mode, it works that way but I thought maybe it will be much nicer to configure it via ifcfg if possible. I do not use wireshark gui for anything.

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    3,370

    Question Re: Can't set promiscucus mode on interface

    Quote Originally Posted by coldboot View Post
    I need PROMISCUOUS mode for setting up zeek-af_packet-plugin
    Are you sure? – <https://packages.zeek.org/packages/v...1-0a645a3f3086>
    The AF_Packet plugin automatically enables promiscuous mode on the interfaces.
    Quote Originally Posted by coldboot View Post
    and also to run suricata in af_packet mode.
    Are you sure? – <https://suricata.readthedocs.io/en/l...et-acquisition>
    10.3.6. Packet acquisition

    suricata.yaml

    Suricata has all packet acquisition support built-in. It’s configuration format is very verbose.
    Code:
    pcap:
      - interface: eth0
        #buffer-size: 16777216
        #bpf-filter: "tcp and port 25"
        #checksum-checks: auto
        #threads: 16
        #promisc: no
        #snaplen: 1518
    pfring:
    afpacket:
    nfq:
    ipfw:

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,735
    Blog Entries
    2

    Default Re: Can't set promiscucus mode on interface

    Not having done this for quite awhile, I went ahead and looked at this and verified the @OP finding...
    Ordinarily or at least in the past you should have been able to just add "PROMISC='on'" to the ifcfg file and that would be it.
    Does not work with wicked, it fails silently.

    I looked further at whether it's possible to edit the interface metadata wherever it might be but after looking through the wicked MAN pages, I could find ways to display but not edit metadata.

    The @OP posted one way he found to make the setting persistent.
    Since the following command does work to manually set promiscuous mode but is non-persistent
    Code:
    ip link set [interface] promisc on
    My recommended workaround is the time honored way (is a standard way to run commands on bootup to modify default system settings ) for decades is to simply add the command to the following file
    Code:
    /etc/sysctl.conf
    A few years ago, this file contained a comment that this file would eventually be deprecated (surprising!) but I don't see that comment anymore.

    I have no idea whether this is a Wicked bug, but the larger issue of displaying but unable to edit wicked interface metadata is a fairly significant black hole in wicked documentation.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,735
    Blog Entries
    2

    Default Re: Can't set promiscucus mode on interface

    Quote Originally Posted by dcurtisfra View Post
    Why?

    If your Use Case is “Wireshark” then:
    • Those users who need to use Wireshark to gather network information, have to be members of the “wireshark” group …
    • Those users who only have to analyse Wireshark traces, should not be members of the “wireshark” group – for security reasons …
    • It isn't necessary that, the user “root” be used for gathering Wireshark traces …
    Promiscuous mode is used any time you want to capture all packets on the wire, not just packets destined for the local machine (ordinarily any packets on the wire with adifferent address are ignored at a very low level so as not to use machine resources unnecessarily).

    Promiscuous mode is desired or necessary when
    - using a single machine to passively monitor network traffic on the wire without setting up as a critical node
    - Doing pentesting, either as a white hat or black hat.

    Even when using Wireshark, it makes a difference if you're analyzing packets destined for the local machine only if you want to capture all network traffic on the wire, even packets destined for other hosts.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    3,370

    Default Re: Can't set promiscucus mode on interface

    Quote Originally Posted by tsu2 View Post
    Promiscuous mode is desired or necessary when
    - using a single machine to passively monitor network traffic on the wire without setting up as a critical node
    - Doing pentesting, either as a white hat or black hat.
    AFAICS, “sniffers” such as Zeek, Suricata and Wireshark, all set up Promiscuous Mode on the interface(s) by them selves – on their own …
    • They possibly include ‘/usr/include/linux/capability.h’ – “CAP_NET_ADMIN” needs to be setup to allow setting promiscuous mode.
    • They possibly include ‘/usr/include/linux/if.h’ or ‘/usr/include/net/if.h’ – “IFF_PROMISC” to receive all packets. It can be toggled through sysfs.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •