What is promiscuous mode and why is eth1 entering it?

Slackware64 14.1, kernel 3.10.17

I had a problem with my eth1 getting "eth1: Reset adapter unexpectedly" messages. I supposedly fixed this with `ethtool -K eth1 tso off` (see http://www.experts-exchange.com/OS/Linux/Q_28655340.html for more on that). However, now I am getting the following messages:
Apr 15 00:21:40 mail kernel: [383546.156569] device eth1 entered promiscuous mode
Apr 15 00:55:47 mail kernel: [385596.344128] device eth1 left promiscuous mode
Apr 15 13:21:55 mail kernel: [430436.382364] device eth1 entered promiscuous mode
Apr 15 13:26:27 mail kernel: [430709.031522] device eth1 left promiscuous mode
Apr 15 19:09:39 mail kernel: [451334.133223] device eth1 entered promiscuous mode
Apr 15 19:15:03 mail kernel: [451658.610595] device eth1 left promiscuous mode
Apr 15 19:15:10 mail kernel: [451665.564584] device eth1 entered promiscuous mode
Apr 15 19:17:08 mail kernel: [451783.851678] device eth1 left promiscuous mode
Apr 15 19:17:13 mail kernel: [451788.630887] device eth1 entered promiscuous mode
Apr 15 22:56:08 mail kernel: [464944.401261] device eth1 left promiscuous mode
Apr 16 00:53:38 mail kernel: [472006.574204] device eth1 entered promiscuous mode
Apr 16 00:54:22 mail kernel: [472049.842007] device eth1 left promiscuous mode

Open in new window

What is "promiscuous mode", why is eth1 entering and leaving it, and is this a bad thing?
LVL 1
MarkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

savoneCommented:
Promiscuous mode is a mode the network card can enter to pass all packets it sees to the system.  

When not in promiscuous mode, the NIC only passes traffic destined for the system and filters out other packets.  

Read more here:
 http://en.wikipedia.org/wiki/Promiscuous_mode

Typically the card enters promiscuous mode when a traffic sniffer (tcpdump, snort, etc...) is being used.  It is almost impossible from the information we have to tell you exactly what is causing it.

It looks like the name of your server is "mail" which leads me to believe it is a mail server of some sort.  There is no reason to have promiscuous mode for mail exchange.

I do not want to scare you, but this can also be a sign of some unwanted folks on your system.  It wouldn't be the first time I have seen a compromised system be used to "discover" what is around it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkAuthor Commented:
Typically the card enters promiscuous mode when a traffic sniffer (tcpdump, snort, etc...) is being used.
Ah ha! That's it! I've been doing tcpdumps on the ntp port to see which LAN clients are requesting ntp updates. Now that I look at the most recent entries, I see that the "promiscuous" logs do correspond with when I started tcpdump. In fact, I just killed and restarted the tcpdump and immediately got successive "left" and "entered" messages.

Thanks. I should have figure that one out myself!
0
Steve KnightIT ConsultancyCommented:
Dont worry about being promiscuous mode putting any extra traffic into the box or allow you to see anything else on the network etc. as unless you are on a hub rather than switch you will only see your own traffic anyway unless the switch port is configured to allow.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.