• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 12627
  • Last Modified:

What is promiscuous mode and why is eth1 entering it?

Slackware64 14.1, kernel 3.10.17

I had a problem with my eth1 getting "eth1: Reset adapter unexpectedly" messages. I supposedly fixed this with `ethtool -K eth1 tso off` (see http://www.experts-exchange.com/OS/Linux/Q_28655340.html for more on that). However, now I am getting the following messages:
Apr 15 00:21:40 mail kernel: [383546.156569] device eth1 entered promiscuous mode
Apr 15 00:55:47 mail kernel: [385596.344128] device eth1 left promiscuous mode
Apr 15 13:21:55 mail kernel: [430436.382364] device eth1 entered promiscuous mode
Apr 15 13:26:27 mail kernel: [430709.031522] device eth1 left promiscuous mode
Apr 15 19:09:39 mail kernel: [451334.133223] device eth1 entered promiscuous mode
Apr 15 19:15:03 mail kernel: [451658.610595] device eth1 left promiscuous mode
Apr 15 19:15:10 mail kernel: [451665.564584] device eth1 entered promiscuous mode
Apr 15 19:17:08 mail kernel: [451783.851678] device eth1 left promiscuous mode
Apr 15 19:17:13 mail kernel: [451788.630887] device eth1 entered promiscuous mode
Apr 15 22:56:08 mail kernel: [464944.401261] device eth1 left promiscuous mode
Apr 16 00:53:38 mail kernel: [472006.574204] device eth1 entered promiscuous mode
Apr 16 00:54:22 mail kernel: [472049.842007] device eth1 left promiscuous mode

Open in new window

What is "promiscuous mode", why is eth1 entering and leaving it, and is this a bad thing?
0
jmarkfoley
Asked:
jmarkfoley
1 Solution
 
savoneCommented:
Promiscuous mode is a mode the network card can enter to pass all packets it sees to the system.  

When not in promiscuous mode, the NIC only passes traffic destined for the system and filters out other packets.  

Read more here:
 http://en.wikipedia.org/wiki/Promiscuous_mode

Typically the card enters promiscuous mode when a traffic sniffer (tcpdump, snort, etc...) is being used.  It is almost impossible from the information we have to tell you exactly what is causing it.

It looks like the name of your server is "mail" which leads me to believe it is a mail server of some sort.  There is no reason to have promiscuous mode for mail exchange.

I do not want to scare you, but this can also be a sign of some unwanted folks on your system.  It wouldn't be the first time I have seen a compromised system be used to "discover" what is around it.
0
 
jmarkfoleyAuthor Commented:
Typically the card enters promiscuous mode when a traffic sniffer (tcpdump, snort, etc...) is being used.
Ah ha! That's it! I've been doing tcpdumps on the ntp port to see which LAN clients are requesting ntp updates. Now that I look at the most recent entries, I see that the "promiscuous" logs do correspond with when I started tcpdump. In fact, I just killed and restarted the tcpdump and immediately got successive "left" and "entered" messages.

Thanks. I should have figure that one out myself!
0
 
Steve KnightIT ConsultancyCommented:
Dont worry about being promiscuous mode putting any extra traffic into the box or allow you to see anything else on the network etc. as unless you are on a hub rather than switch you will only see your own traffic anyway unless the switch port is configured to allow.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now