Ubuntu
jnettop package

What is 'promiscuous' mode?

Asked by tashi

Hi to all.

I'd simply like to know what is the promiscuous mode, for example for jnettop? Does it mean that you can too spy packets from another computer?

Thanks to answer, please, ant help could be useful!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu jnettop Edit question
Assignee:
No assignee Edit question
Solved by:
tashi
Solved:
Last query:
Last reply:

This question was reopened

Revision history for this message
Federico Vera (fedevera) said : 		#1

Hi! promiscuous mode is one of the ways of handling packets. It means that instead of 'pointing at the package' you bring it close to you... check in the all knowing wikipedia[1] for a more technical definition.

Hope it helps!

[1] http://en.wikipedia.org/wiki/Promiscuous_mode

Revision history for this message
bhuvi (bhuvanesh) said : 		#2

take for example a wireless network,the information is transmitted through the air and any machines inside the network can hear it.In normal mode only the packets addressed to your machine is captured and used , other packets having different hardware addresses are captured and dropped by the wireless card.But if the card is in promiscuous mode ,it captures all the packets it receives and sends to the software layers.this is the same for wired cards too.search for it google you will get some nice detailed explanations.

Revision history for this message
Soul-Sing (soulzing) said : 		#3

promiscuous mode in linux is always seen with so called "file sharing" programms as frostwire, limewire, etc.

Revision history for this message
tashi (pierre-mirmont) said : 		#4

Thanks to you all, great help!

Revision history for this message
tashi (pierre-mirmont) said : 		#5

Thanks to you all! Actually it looks now like I knew it before asking, but great heap!

Revision history for this message
tashi (pierre-mirmont) said : 		#6

Thanks leoquant, that solved my question.

Revision history for this message
willjcroz (willjcroz) said : 		#7

Hi,

Bhuvi answered your question correctly, with his example applying to wired networks also. Network utilties such as Wireshark enable promiscuous mode in order to see all the traffic on/in the wire/air. The prevalence of wired network switches prevents most wired frames that are not addressed to your network card from reaching it.

Leoquant: file sharing programs have nothing to do with the MAC (media access control) network layer at which promiscuous mode applies. Promiscuous mode is meaningless to traffic once it is routed onto the internet.

Revision history for this message
Soul-Sing (soulzing) said : 		#8

Will please monitor your logs while using file sharing programs, it is in the logs in plain text.
I am aware of the technical details, and just gave an example how and when promiscuous mode is visible and used in linux.

Revision history for this message
willjcroz (willjcroz) said : 		#9

Leoquant, what logs do you mean? kernel messages (/var/log/messages)? or file sharing app logs?

For a process to enable promiscuous mode on a network card, it must have either elevated/super-user privileges or it's executable must have the CAP_NET_ADMIN capability set. Either of these possibilities represent a major security risk with respect to a file sharing application.

Maybe you are confusing the cause of your machine entering promsicuous mode. Perhaps you are using virtualization to run Windows filesharing software and using a 'bridged' virtual network adapter, or maybe using a network sniffer such as Wireshark which is causing promiscuous mode. Or maybe the logs of your filesharing software uses its own definition of 'promiscuous mode' with regards to its behaviour in connecting to other peers (over IP protocol).

Proper network interface promiscuous mode is only really entered for network sniffing/analysis or for transparent bridging between physical (or virtual) network segments. If you really are seeing kernel messages indicating promiscuous mode has been enabled, and it is because of specific file sharing software, I would investigate the integrity/security of this software as it has no business doing this! In fact it could be an indication of a rootkit being present on your system, see: http://www.chkrootkit.org/

Revision history for this message
tashi (pierre-mirmont) said : 		#10

Actually, I only try to know who is using my WIFI network, and whose friend uses it mostly! I thought jnnettop could help me (in promiscuous mode) to know who does use the biggest part of the network, but actually no... It almast just very often writes UNKNOWN <-> UNKNOWN (0.0.0.0), port 0 and debit often 0 too... So actually it looks like I can't know who uses the most my network, because I can't ask the code to enter on the box address (192.168.1.1), just one person has it and does not want to give it...

So it may just be a wrong way trial, dunno yet...

Revision history for this message
tashi (pierre-mirmont) said : 		#11

Thanks to all, now the problem is solved!
(was more a memory problem for me...)

Revision history for this message
tashi (pierre-mirmont) said : 		#12

Wright, the problem is solved...

But actually I'd like to know now what program I could use to spy/sniff a WIFI network, just to know who (IP or hostname) visits which web page for instance...

Does someone know the name of a program of that kind to tell me, that I could seek on the net?

Thanks again for your answers!

Revision history for this message
Launchpad Janitor (janitor) said : 		#13

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
tashi (pierre-mirmont) said : 		#14

Ok, looks like the problem is more clear now... Just to hear what other people say around me...

Revision history for this message
tashi (pierre-mirmont) said : 		#15

So problem solved now!