Ethereal-dev: Re: [ethereal-dev] Ethereal leaves interface in promiscuous mode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Thu, 27 Apr 2000 10:19:51 -0500
On Thu, Apr 27, 2000 at 04:29:14AM -0500, Richard Sharpe wrote:
> 
> 
> >From: crh@xxxxxxxxxxxx (Christopher R. Hertel)
> >Richard,
> >
> >Also, I have a small bug to report in Ethereal.  It leaves the interface
> >in promiscuous mode when I exit.  I'm using the April 13 release.  I have
> >it setuid root so I can run it on my inside-the-firewall Debian system
> >without having to be root.
> >
> >Chris -)-----

I assume this is a Linux system. 

The README.linux file says this:

:  In addition, current versions of libpcap on at least some Linux
:  distributions will not turn promiscuous mode off on a network device
:  until the program using promiscuous mode exits, so if you start a
:  capture with Ethereal on some Linux distributions, the network interface
:  will be put in promiscuous mode and will remain in promiscuous mode
:  until Ethereal exits.  There might be additional libpcap bugs that cause
:  it not to be turned off even when Ethereal exits; if your network is
:  busy, this could cause the Linux networking stack to do a lot more work
:  discarding packets not intended for the machine, so you may want to
:  check, after running Ethereal, whether any network interfaces are in
:  promiscuous mode (the output of "ifconfig -a" will say something such as
:  
:  eth0      Link encap:Ethernet  HWaddr 00:00:66:66:66:66
:            inet addr:66.66.66.66  Bcast:66.66.66.255  Mask:255.255.255.0
:            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
:            RX packets:6493 errors:0 dropped:0 overruns:0 frame:0
:            TX packets:3380 errors:0 dropped:0 overruns:0 carrier:0
:            collisions:0 txqueuelen:100 
:            Interrupt:18 Base address:0xfc80 
:  
:  with "PROMISC" indicating that the interface is in promiscuous mode),
:  and, if any interfaces are in promiscuous mode and no capture is being
:  done on that interface, turn promiscuous mode off by hand with
:  
:  	ifconfig <ifname> -promisc
:  
:  where "<ifname>" is the name of the interface.

And in fact, when I checked on my Linux system, my eth0 was indeed
in promiscuous mode when it should not have been. After clearing 
promiscuous mode, I was not able to reproduce the case where Ethereal/
libpcap leaves the interface in promiscuous mode after exiting. I'm
sure it will happen; I just won't notice it.

I'm not sure what the "additional libpcap bugs" might be. However, it
seems more logical to me that libpcap should turn of promiscous mode
in the pcap_close() call, not by registering a function with atexit()
like it currently does. But I suppose the writers of libpcap always
assumed tcpdump-like usage... a one-shot sniff of the network instead of
a long-running GUI.

--gilbert