Can't set promiscucus mode on interface

I am trying to configure promiscuous mode for ethernet interfaces via sysconfig files but it doesn’t work.

ifcfg files -

[Tue Sep 29 21:40:42 root@apsis /etc/sysconfig/network] 
# cat ifcfg-eth1
BOOTPROTO='static'
STARTMODE='auto'
IPADDR='192.168.0.200/24'
ETHTOOL_OPTIONS='-K rx tx sg tso gso gro off speed 1000 duplex full autoneg off'
PROMISC='yes'

[Tue Sep 29 21:40:53 root@apsis /etc/sysconfig/network] 
# cat ifcfg-eth2
BOOTPROTO='none'
STARTMODE='auto'
IPADDR='0.0.0.0'
ETHTOOL_OPTIONS='-K rx tx sg tso ufo gso gro lro off -G rx 4096 speed 1000 duplex full autoneg off'
PROMISC='yes'

[Tue Sep 29 21:40:55 root@apsis /etc/sysconfig/network] 
# cat ifcfg-eth3
BOOTPROTO='none'
STARTMODE='auto'
IPADDR='0.0.0.0'
ETHTOOL_OPTIONS='-K rx tx sg tso ufo gso gro lro off -G rx 4096 speed 1000 duplex full autoneg off'
PROMISC='yes'


interfaces -

[Tue Sep 29 21:11:53 root@apsis /usr/local/src] 
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether c6:af:fd:9a:d1:78 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 74:d0:2b:2b:1a:42 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1a:64:92:13:18 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1a:64:92:13:19 brd ff:ff:ff:ff:ff:ff


I can create a systemd service file and set promiscuous with /usr/sbin/ip but I will prefer doing this with ifcfg files. Please help.

What made you think it would work? Please show documentation or manual page that describes this parameter.

Checked man page before, it isn’t there. Stumbled upon this thread https://forums.opensuse.org/showthread.php/534881-how-to-set-promiscuous-mode-on-eth0?p=2893813#post2893813 on this forum.

Why?
[HR][/HR]If your Use Case is “Wireshark” then:

  • Those users who need to use Wireshark to gather network information, have to be members of the “wireshark” group …
  • Those users who only have to analyse Wireshark traces, should not be members of the “wireshark” group – for security reasons …
  • It isn’t necessary that, the user “root” be used for gathering Wireshark traces …

I need PROMISCUOUS mode for setting up zeek-af_packet-plugin and also to run suricata in af_packet mode. I created a service file for promiscuous mode, it works that way but I thought maybe it will be much nicer to configure it via ifcfg if possible. I do not use wireshark gui for anything.

Are you sure? – <https://packages.zeek.org/packages/view/116ce440-f435-11e9-9321-0a645a3f3086&gt;

The AF_Packet plugin automatically enables promiscuous mode on the interfaces.

Are you sure? – <12.4. Snort.conf to Suricata.yaml — Suricata 8.0.0-dev documentation;

10.3.6. Packet acquisition

suricata.yaml

Suricata has all packet acquisition support built-in. It’s configuration format is very verbose.

pcap:

  • interface: eth0
    #buffer-size: 16777216
    #bpf-filter: “tcp and port 25”
    #checksum-checks: auto
    #threads: 16
    #promisc: no
    #snaplen: 1518
    pfring:
    afpacket:
    nfq:
    ipfw:

Not having done this for quite awhile, I went ahead and looked at this and verified the @OP finding…
Ordinarily or at least in the past you should have been able to just add “PROMISC=‘on’” to the ifcfg file and that would be it.
Does not work with wicked, it fails silently.

I looked further at whether it’s possible to edit the interface metadata wherever it might be but after looking through the wicked MAN pages, I could find ways to display but not edit metadata.

The @OP posted one way he found to make the setting persistent.
Since the following command does work to manually set promiscuous mode but is non-persistent

ip link set [interface] promisc on

My recommended workaround is the time honored way (is a standard way to run commands on bootup to modify default system settings ) for decades is to simply add the command to the following file

/etc/sysctl.conf

A few years ago, this file contained a comment that this file would eventually be deprecated (surprising!) but I don’t see that comment anymore.

I have no idea whether this is a Wicked bug, but the larger issue of displaying but unable to edit wicked interface metadata is a fairly significant black hole in wicked documentation.

TSU

Promiscuous mode is used any time you want to capture all packets on the wire, not just packets destined for the local machine (ordinarily any packets on the wire with adifferent address are ignored at a very low level so as not to use machine resources unnecessarily).

Promiscuous mode is desired or necessary when

  • using a single machine to passively monitor network traffic on the wire without setting up as a critical node
  • Doing pentesting, either as a white hat or black hat.

Even when using Wireshark, it makes a difference if you’re analyzing packets destined for the local machine only if you want to capture all network traffic on the wire, even packets destined for other hosts.

TSU

AFAICS, “sniffers” such as Zeek, Suricata and Wireshark, all set up Promiscuous Mode on the interface(s) by them selves – on their own …

  • They possibly include ‘/usr/include/linux/capability.h’ – “CAP_NET_ADMIN” needs to be setup to allow setting promiscuous mode.
  • They possibly include ‘/usr/include/linux/if.h’ or ‘/usr/include/net/if.h’ – “IFF_PROMISC” to receive all packets. It can be toggled through sysfs.