eth0 promiscuous mode

Nifty Hat Mitch mitch48 at sbcglobal.net
Tue Jan 25 05:06:28 UTC 2005


On Tue, Jan 25, 2005 at 12:56:34AM +0530, Prudhvi Krishna Surapaneni wrote:
> 
> Hello there,
>  
>      i wonder why my i get a message 
>      eth0: entering promiscuous mode
>     when ever i get that my Network becomes inavtive.
> 
>   plz help me its urgent

By chance is the DHCP lease expiring?

If so think about how the hardware has to poke and prod the net for a
new DHCP lease.  The software to get a new lease may have to put the
hardware in promiscuous mode to reconnect.  This DHCP lease expiration
might explain the loss of network connectivity.   

Other folks with Linux directly connected to the net and getting DHCP
services can verify.... how it acts.

If it is not DHCP....

I suspect that you are running arpd, arpwatch, rarpd or some network
watching tool.   You can also see this message if you have multicast or 
multiple IP addresses active on the same hardware port.

One caution for us all...   eth0: entering promiscuous mode could be
an (un)authorized packet snoop process:  ethereal, tcpdump....

My expectation is that this is the normal side effect of some
tool or service you are running.  Arpwatch...

For example if I start tcpdump.... this way.

    logger start tcpdump
    tcpdump -c2

I see this in /var/log/messages.

    Jan 24 20:40:09 Box2 root: start tcpdump
    Jan 24 20:40:12 Box2 kernel: eth0: Setting promiscuous mode.
    Jan 24 20:40:12 Box2 kernel: device eth0 entered promiscuous mode
    Jan 24 20:40:30 Box2 kernel: device eth0 left promiscuous mode

If you cannot find the program that has eth0 in promiscuous mode look
with 'lsof' for something like this:

  tethereal 5756    root    3u     sock        0,4               17678 can't identify protocol

The string "can't identify protocol" is key for common stuff.
There may be other things I do not know...

The key to understanding is that network hardware will listen for a
limited number of hardware destinations.  Commonly broadcast, it's own
MAC and perhaps a mask for multicast.  If any more network traffic
than this is wanted the hardware need to pass all traffic to a
software stack where more complex bit masks are handled.  Different
network chips have differing functionality to this end.

By chance if you look at the output of "ifconfig" do you have a
169.254.xxx.xxx address configured in addition to another IP address?

Do you have ntp in multicast/broadcast mode...

 169.254.x.x     - APIPA, Automatic Private IP Address


-- 
	T o m  M i t c h e l l 
	spam unwanted email.
	SPAM, good eats, and a trademark of  Hormel Foods.




More information about the users mailing list