[Tue Sep 29 21:11:53 root@apsis /usr/local/src]
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether c6:af:fd:9a:d1:78 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 74:d0:2b:2b:1a:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1a:64:92:13:18 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1a:64:92:13:19 brd ff:ff:ff:ff:ff:ff
I can create a systemd service file and set promiscuous with /usr/sbin/ip but I will prefer doing this with ifcfg files. Please help.
I need PROMISCUOUS mode for setting up zeek-af_packet-plugin and also to run suricata in af_packet mode. I created a service file for promiscuous mode, it works that way but I thought maybe it will be much nicer to configure it via ifcfg if possible. I do not use wireshark gui for anything.
Not having done this for quite awhile, I went ahead and looked at this and verified the @OP finding…
Ordinarily or at least in the past you should have been able to just add “PROMISC=‘on’” to the ifcfg file and that would be it.
Does not work with wicked, it fails silently.
I looked further at whether it’s possible to edit the interface metadata wherever it might be but after looking through the wicked MAN pages, I could find ways to display but not edit metadata.
The @OP posted one way he found to make the setting persistent.
Since the following command does work to manually set promiscuous mode but is non-persistent
ip link set [interface] promisc on
My recommended workaround is the time honored way (is a standard way to run commands on bootup to modify default system settings ) for decades is to simply add the command to the following file
/etc/sysctl.conf
A few years ago, this file contained a comment that this file would eventually be deprecated (surprising!) but I don’t see that comment anymore.
I have no idea whether this is a Wicked bug, but the larger issue of displaying but unable to edit wicked interface metadata is a fairly significant black hole in wicked documentation.
Promiscuous mode is used any time you want to capture all packets on the wire, not just packets destined for the local machine (ordinarily any packets on the wire with adifferent address are ignored at a very low level so as not to use machine resources unnecessarily).
Promiscuous mode is desired or necessary when
using a single machine to passively monitor network traffic on the wire without setting up as a critical node
Doing pentesting, either as a white hat or black hat.
Even when using Wireshark, it makes a difference if you’re analyzing packets destined for the local machine only if you want to capture all network traffic on the wire, even packets destined for other hosts.