8770609 2002-07-25 00:20 +0400  /22 rader/ Ricardo Branco <97-29312@ldc.usb.ve>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-24  23:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23227>
Ärende: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: Ricardo Branco <97-29312@ldc.usb.ve>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.GSO.4.32.0207250011340.5286-100000@korba.ldc.usb.ve>


This affects Linux 2.2 and 2.4

Using libpcap to put the interface in promiscuous mode, will cause
that ifconfig(8) doesn't show it!

libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...)
with PACKET_MR_PROMISC to set the interface in promiscuous mode.

I notified this to the tcpdump-workers mailing list and the problem
is that the setsockopt() sets the promisc flag in a variable that is
not the same as the one that the SIOCGIFFLAGS ioctl() reads. I don't
have the kernel source right now to make this advisory more precise.

Well, sorry for my not-so-good english
Enjoy
(8770609) /Ricardo Branco <97-29312@ldc.usb.ve>/(Ombruten)
Kommentar i text 8773837 av Paul Starzetz <paul@starzetz.de>
Kommentar i text 8773840 av Glynn Clements <glynn.clements@virgin.net>
Kommentar i text 8773875 av Frédéric Raynal <frederic.raynal@inria.fr>
Kommentar i text 8773904 av Ademar de Souza Reis Jr. <ademar@conectiva.com.br>
8773837 2002-07-25 11:39 +0200  /26 rader/ Paul Starzetz <paul@starzetz.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  19:10  av Brevbäraren
Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23248>
Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: Paul Starzetz <paul@starzetz.de>
To: Ricardo Branco <97-29312@ldc.usb.ve>, bugtraq@securityfocus.com
Message-ID: <3D3FC73D.4080100@starzetz.de>

Ricardo Branco wrote:

>This affects Linux 2.2 and 2.4
>
>Using libpcap to put the interface in promiscuous mode, will cause that
>ifconfig(8) doesn't show it!
>  
>
This is an old issue (noticed this nearly 2 years ago...) but can be 
contributed to 'bad' userspace tools.

>libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
>PACKET_MR_PROMISC to set the interface in promiscuous mode.
>  
>
The interesting thing is that the PF_PACKET sockets are also not 
reported by netstat. Anyway this should be fixed.

/ih
(8773837) /Paul Starzetz <paul@starzetz.de>/--------
8773840 2002-07-25 04:50 +0100  /28 rader/ Glynn Clements <glynn.clements@virgin.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  19:11  av Brevbäraren
Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23249>
Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: Glynn Clements <glynn.clements@virgin.net>
To: Ricardo Branco <97-29312@ldc.usb.ve>
Cc: <bugtraq@securityfocus.com>
Message-ID: <15679.30075.748098.171790@cerise.nosuchdomain.co.uk>


Ricardo Branco wrote:

> Using libpcap to put the interface in promiscuous mode, will cause that
> ifconfig(8) doesn't show it!
> 
> libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
> PACKET_MR_PROMISC to set the interface in promiscuous mode.
> 
> I notified this to the tcpdump-workers mailing list and the problem is
> that the setsockopt() sets the promisc flag in a variable that is not the
> same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the
> kernel source right now to make this advisory more precise.

This issue was discussed extensively on the linux-net list back in
February, in the thread entitled "IFF_PROMISC bug?":

	http://marc.theaimsgroup.com/?t=101356558000002&r=1&w=2

-- 
Glynn Clements <glynn.clements@virgin.net>
(8773840) /Glynn Clements <glynn.clements@virgin.net>/
8773875 2002-07-25 08:09 +0200  /72 rader/ Frédéric Raynal <frederic.raynal@inria.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  19:17  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23251>
Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: Frédéric Raynal <frederic.raynal@inria.fr>
To: bugtraq@securityfocus.com
Message-ID: <20020725080944.A14261@minimum.inria.fr>


	Hello,

This is a well knwon issue and C. Grenier and I have understood why
very recently. In fact, this due to the changing of the handling of 
promiscuous mode in kernel space.

With kernel 2.0, one had to perform the following to set the interface
to promiscuous mode:
  
  strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
  ioctl(sock, SIOCGIFFLAGS, &ifr);
  ifr.ifr_flags |= IFF_PROMISC;
  ioctl(sock, SIOCSIFFLAGS, &ifr);

The trouble was that the promiscuous mode was handled by a flag.  Each
time a process sets this mode, the flag is set. But if another process
removes this mode, the flag is cleared. Rather bad behavior.

Since kernel 2.2, a processus must ask to enter in a membership of
process (setsockopt(..., PACKET_ADD_MEMBERSHIP,...)) using the
interface in promiscuous mode. A counter is then increased. One a
process of the membership does not need the promiscuous mode anymore,
it drops the membership (setsockopt(..., PACKET_DROP_MEMBERSHIP, ...))
the counter is decreased, and promiscuous mode is disabled as soon as
the counter is 0. 

  struct packet_mreq mr; ...  memset(&mr,0,sizeof(mr));
  mr.mr_ifindex = ifr.ifr_ifindex; mr.mr_type =  PACKET_MR_PROMISC;
  setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, (char *)&mr,
  sizeof(mr));



The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by
ioctl(SIOCSIFFLAGS).


--
Frederic RAYNAL, Ph.D.
http://minimum.inria.fr/~raynal
Chief Editor of M.I.S.C.
Multi-Systems & Internet Security Cookbook



On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote:
> 
> This affects Linux 2.2 and 2.4
> 
> Using libpcap to put the interface in promiscuous mode, will cause that
> ifconfig(8) doesn't show it!
> 
> libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
> PACKET_MR_PROMISC to set the interface in promiscuous mode.
> 
> I notified this to the tcpdump-workers mailing list and the problem is
> that the setsockopt() sets the promisc flag in a variable that is not the
> same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the
> kernel source right now to make this advisory more precise.
> 
> Well, sorry for my not-so-good english
> Enjoy
>
(8773875) /Frédéric Raynal <frederic.raynal@inria.fr>/(Ombruten)
Kommentar i text 8774363 av Casper Dik <Casper.Dik@Sun.COM>
8774363 2002-07-25 20:29 +0200  /28 rader/ Casper Dik <Casper.Dik@Sun.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  22:00  av Brevbäraren
Extern mottagare: Frédéric Raynal <frederic.raynal@inria.fr>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23254>
Kommentar till text 8773875 av Frédéric Raynal <frederic.raynal@inria.fr>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: Casper Dik <Casper.Dik@Sun.COM>
To: Frédéric Raynal <frederic.raynal@inria.fr>
Cc: bugtraq@securityfocus.com
Message-ID: <200207251829.UAA27802@romulus.Holland.Sun.COM>


>The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by
>ioctl(SIOCSIFFLAGS).

This is the same reason why Promiscuous mode is never reported by
"ifconfig" in Solaris 2.0 and later.

In Solaris, ifconfig primarily (or perhaps only) deals with the
"IP (or other network stack) plumbing" on devices; in that context
the "promiscuous" flag has no meaning either.

A number of Solaris device drivers export the fact whether they're
promiscuous using the "kstat" (kernel statistics) interface;
unfortunately not all devices support that yet.

$ kstat -p :::promisc
elxl:0:elxl0:promisc    off

We need to fix this for most SPARC hardware still.

Casper
(8774363) /Casper Dik <Casper.Dik@Sun.COM>/(Ombruten)
8773904 2002-07-25 09:40 -0300  /91 rader/ Ademar de Souza Reis Jr. <ademar@conectiva.com.br>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  19:23  av Brevbäraren
Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23252>
Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: "Ademar de Souza Reis Jr." <ademar@conectiva.com.br>
To: Ricardo Branco <97-29312@ldc.usb.ve>
Cc: bugtraq@securityfocus.com
Message-ID: <20020725124050.GA9854@conectiva.com.br>

On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote:
> 
> This affects Linux 2.2 and 2.4
> 
> Using libpcap to put the interface in promiscuous mode, will cause that
> ifconfig(8) doesn't show it!
> 
> libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
> PACKET_MR_PROMISC to set the interface in promiscuous mode.
> 
> I notified this to the tcpdump-workers mailing list and the problem is
> that the setsockopt() sets the promisc flag in a variable that is not the
> same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the
> kernel source right now to make this advisory more precise.

I noticed it some time ago and did a little research to discover why
this happens. There are some results/discussion in our bugzilla:

http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=5201
(I'm sorry some parts of this page are in brazilian portuguese)

This subject was already discussed in the linux-kernel mailing list:

	PACKET_MR_PROMISC doesn't set IFF_PROMISC
	http://www.uwsg.iu.edu/hypermail/linux/kernel/0101.2/1349.html

	Misreporting of the PROMISC flag
	http://www.uwsg.iu.edu/hypermail/linux/kernel/9705.2/0284.html

And in the tcpdump-workers list:

	[tcpdump-workers] concerns about tcpdump
	http://www.tcpdump.org/lists/workers/2001/01/msg00192.html

	Re: [tcpdump-workers] concerns about tcpdump
	http://www.tcpdump.org/lists/workers/2001/01/msg00184.html

Transcripting some interesting parts of the message above:

...  "This means that only promiscuity requested by SIOCSIFFLAGS will
show up in SIOCGIFFLAGS, not promiscuity requested by
PACKET_MR_PROMISC."

...
"
> IFF_PROMISC is not set,

It's not supposed to be set.

The correct way to put into promiscuous mode the device to which a
PF_PACKET socket is to do a SOL_PACKET/PACKET_ADD_MEMBERSHIP
"setsockopt()" call with PACKET_MR_PROMISC as the argument (see the
"packet(7)" man page), and that's what libpcap is doing.

The old way of directly setting IFF_PROMISC had problems - [...]
...


And in other message (same thread):

"
Just to make things clear:

the >= 2.2 kernels have a new way of setting promiscous mode via
setsockopt(). We use this sicne a few month in pcap. It has the
advantage of thread-safeness. The usage of ioctl() is
depreciated. ifconfig doesnt show the flag, b/c kernel filters it
out. Dont know why.

Administrators should note that they dont see sniffers anymore on >=
2.2 kernels!  "


Although I think fixing ifconfig would be a good thing(TM), it's
considered obsolete. Use the the "ip" utility instead.

Cheers.
   - Ademar

-- 
Ademar de Souza Reis Jr. <ademar@conectiva.com.br>
Conectiva S/A - http://www.conectiva.com

^[:wq!
(8773904) /Ademar de Souza Reis Jr. <ademar@conectiva.com.br>/(Ombruten)
8770843 2002-07-25 01:06 +0200  /76 rader/ Rasmus Bøg Hansen <moffe@amagerkollegiet.dk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  01:27  av Brevbäraren
Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23232>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: Rasmus Bøg Hansen <moffe@amagerkollegiet.dk>
To: Ricardo Branco <97-29312@ldc.usb.ve>
Cc: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0207250101220.19904-100000@grignard.amagerkollegiet.dk>

On Thu, 25 Jul 2002, Ricardo Branco wrote:

> This affects Linux 2.2 and 2.4
>
> Using libpcap to put the interface in promiscuous mode, will cause that
> ifconfig(8) doesn't show it!
>
> libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
> PACKET_MR_PROMISC to set the interface in promiscuous mode.

I can confirm that with 2.4.19-rc3. When using tcpdump (with libpcap),
ifconfig does not report, that the interface is in promiscous mode:

root@grignard:~# tcpdump -n -i eth0 > /dev/null &
[1] 20101
tcpdump: listening on eth0
root@grignard:~# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:90:27:A6:63:DC
          inet addr:172.16.0.130  Bcast:172.31.255.255  Mask:255.240.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1848637 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2654247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:34909 txqueuelen:100
          RX bytes:231541983 (220.8 MiB)  TX bytes:3666205284 (3.4 GiB)
          Interrupt:10 Base address:0xb000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:101208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:101208 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:32332341 (30.8 MiB)  TX bytes:32332341 (30.8 MiB)

root@grignard:~# uname -a Linux grignard 2.4.19-rc3 #1 lør jul 20
04:06:23 CEST 2002 i686 unknown root@grignard:~#

tcpdump does use libpcap here, and it does set eth0 in promiscous
mode:

moffe@grignard:~# ldd /usr/sbin/tcpdump
        libpcap.so.0 => /usr/lib/libpcap.so.0 (0x4001e000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40039000)
        libc.so.6 => /lib/libc.so.6 (0x4004e000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
moffe@grignard:/tmp# dpkg -l libpcap0 tcpdump net-tools
Ønsket=Ukendt/Installér/Fjern/Udrens/Tilbagehold
| Status=Ikke/Installeret/Opsæt.-files/Upakket/Opsætn.-fejl/Halvt-inst.
|/ Fjl?=(ingen)/Tilbageholdt/Geninst.-krævet/X=begge-dele (Status,Fjl:
versaler=slemt)
||/ Navn           Version        Beskrivelse
+++-==============-==============-============================================
ii  libpcap0       0.6.2-2        System interface for user-level packet captu
ii  tcpdump        3.6.2-2.0.1    A powerful tool for network monitoring and d
ii  net-tools      1.60-4         The NET-3 networking toolkit
moffe@grignard:~# dmesg
[...]
device eth0 entered promiscuous mode
device eth0 left promiscuous mode

/Rasmus

-- 
-- [ Rasmus "Møffe" Bøg Hansen ] ---------------------------------------
Don't you hate yourself in the morning?
- Sleep till noon!
----------------------------------[ moffe at amagerkollegiet dot dk ] --
(8770843) /Rasmus Bøg Hansen <moffe@amagerkollegiet.dk>/(Ombruten)
Kommentar i text 8770859 av <plattner@caltech.edu>
8770859 2002-07-24 18:21 -0500  /43 rader/ <plattner@caltech.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  01:43  av Brevbäraren
Extern mottagare: Rasmus B?g Hansen <moffe@amagerkollegiet.dk>
Extern kopiemottagare: Ricardo Branco <97-29312@ldc.usb.ve>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23233>
Kommentar till text 8770843 av Rasmus Bøg Hansen <moffe@amagerkollegiet.dk>
Ärende: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
From: plattner@caltech.edu
To: Rasmus B?g Hansen <moffe@amagerkollegiet.dk>
Cc: Ricardo Branco <97-29312@ldc.usb.ve>, bugtraq@securityfocus.com
Message-ID: <20020724232146.GA23775@aaron.homeip.net>

On Thu, Jul 25, 2002 at 01:06:02AM +0200, Rasmus B?g Hansen wrote:
> On Thu, 25 Jul 2002, Ricardo Branco wrote:
> 
> > This affects Linux 2.2 and 2.4
> >
> > Using libpcap to put the interface in promiscuous mode, will cause that
> > ifconfig(8) doesn't show it!
> >
> > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with
> > PACKET_MR_PROMISC to set the interface in promiscuous mode.
> 
> I can confirm that with 2.4.19-rc3. When using tcpdump (with libpcap),
> ifconfig does not report, that the interface is in promiscous mode:

ip (from iproute2), however, DOES report interfaces that are
promiscuous:

aaron root # tethereal -n -i eth0 > /dev/null &
[2] 23793
aaron root # Capturing on eth0
ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:20:78:02:00:00
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::220:78ff:fe02:0/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:371623 errors:0 dropped:0 overruns:0 frame:0
          TX packets:396584 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:131646171 (125.5 Mb)  TX bytes:128753858 (122.7 Mb)
          Interrupt:12 Base address:0xd000

aaron root # ip link ls dev eth0 2: eth0:
<BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:20:78:02:00:00 brd ff:ff:ff:ff:ff:ff
aaron root # ldd /usr/bin/tethereal | grep pcap
        libpcap.so.0 => /usr/lib/libpcap.so.0 (0x40143000)
aaron root #
(8770859) /<plattner@caltech.edu>/--------(Ombruten)
Bilaga (application/pgp-signature) i text 8770860
Kommentar i text 8773905 av <quentyn@fotango.com>
8770860 2002-07-24 18:21 -0500  /8 rader/ <plattner@caltech.edu>
Importerad: 2002-07-25  01:43  av Brevbäraren
Extern mottagare: Rasmus B?g Hansen <moffe@amagerkollegiet.dk>
Extern kopiemottagare: Ricardo Branco <97-29312@ldc.usb.ve>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23234>
Bilaga (text/plain) till text 8770859
Ärende: Bilaga till: Re: Interface promiscuity obscurity in Linux
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9PzaJ5lBcW90Nc7oRAuQBAKCqbBbfKTjXXfjrdaGbhu/+v+eCQQCgiyJY
Fb+uzwPD8UuRTEOZOAF/4tI=
=USRz
-----END PGP SIGNATURE-----
(8770860) /<plattner@caltech.edu>/------------------