OpenWrt Forum Archive

Topic: promiscuous mode?

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
aaicr
8 Nov 2005, 21:18

Been looking for about a week now and does not seem like anyone else has had this problem.  -must- just be me then...

On both a wrt54g v1 and v2 tcpdump seems to only be able to show traffic which is destined for the interface.  Though dmesg shows the interface goes into promiscuous mode, tcpdump does not seem to agree.  Get the same results on all wired interfaces.  ...am not using the wireless interface at all.  Only have wan and lan1 plugged in, have tried tcpdump on all interfaces save for eth2 with the same results.

The goal is just to play with snort (with very limited rules) on a 'monitored' switch port.

some dmesg output:
vlan1: dev_set_promiscuity(master, 1)
device vlan1 entered promiscuous mode
vlan1: dev_set_promiscuity(master, -1)
device vlan1 left promiscuous mode

root@OpenWrt:/# nvram show | sort | more
size: 1339 bytes (31429 left)
boardnum=42
boardtype=bcm94710dev
boot_ver=v1.0
boot_wait=off
clkfreq=125
dl_ram_addr=a0001000
et0macaddr=00:06:25:EB:9F:16
et0mdcport=0
et0phyaddr=30
et1macaddr=00:06:25:EB:9F:17
et1mdcport=1
et1phyaddr=30
lan_gateway=192.168.0.1
lan_ipaddr=192.168.0.12
lan_netmask=255.255.255.0
os_flash_addr=bfc40000
os_ram_addr=80001000
pmon_ver=PMON 3.11.30.5
scratch=a0180000
sdram_config=0x0000
sdram_init=0x0419
sdram_ncdl=0x00000000
sdram_refresh=0x8040
watchdog=1000
wl0_active_mac=
wl0_afterburner_override=-1
wl0_antdiv=-1
wl0_auth=0
wl0_auth_mode=disabled
wl0_bcn=100
wl0_channel=6
wl0_closed=0
wl0_corerev=4
wl0_country=Worldwide
wl0_country_code=AU
wl0_dtim=1
wl0_frag=2346
wl0_frameburst=on
wl0_gmode=1
wl0_gmode_protection=auto
wl0_hwaddr=00:06:25:E8:DC:98
wl0_ifname=eth2
wl0_infra=1
wl0_key1=
wl0_key2=
wl0_key3=
wl0_key4=
wl0_key=1
wl0_lazywds=1
wl0_mac_deny=
wl0_mac_list=
wl0_maclist=
wl0_macmode1=disabled
wl0_macmode=disabled
wl0_mode=ap
wl0_net_mode=mixed
wl0_passphrase=
wl0_phytype=g
wl0_phytypes=g
wl0_plcphdr=long
wl0_radio=1
wl0_radioids=BCM2050
wl0_radius_ipaddr=
wl0_radius_key=
wl0_radius_port=1812
wl0_rate=0
wl0_rateset=default
wl0_rts=2347
wl0_ssid=linksys
wl0_unit=0
wl0_wds=
wl0_wep=off
wl0_wep_bit=64
wl0_wep_buf=
wl0_wep_gen=
wl0_wep_last=
wl0_wpa_gtk_rekey=3600
wl0_wpa_psk=
wl_country_code=AU
root@OpenWrt:/proc/net/vlan#

Maybe I've got the version of libpcap or something?

root@OpenWrt:/# ipkg status
Package: dropbear
Status: install ok installed
Root: /
Conffiles: /etc/init.d/S51dropbear 0f0787230acf61853b7c2dc0ed182d59
Version: 0.44test3

Package: snort
Status: install ok installed
Root: /
Conffiles: /etc/default/snort 718ba1d7ee545058cb911d801a31f417 /etc/snort/snort.conf 2fdd016f652b129ecb884a64fc56a40d /etc/snort/threshold.conf 832db4c78f78ccd6847f228e469d62d0
Version: 2.3.3-1

Package: libnet
Status: install ok installed
Root: /
Version: 1.0.2a-7

Package: libpcap
Status: install ok installed
Root: /
Version: 0.8.3-1

Package: libpcre
Status: install ok installed
Root: /
Version: 5.0-3

Package: libgcc
Status: install ok installed
Root: /
Version: 3.4.4-2

Package: tcpdump
Status: install ok installed
Root: /
Version: 3.8.3-1


Thanks.

Post #2
aaicr
10 Nov 2005, 08:34

Think I figured it out.  The interfaces are switched, so unless you can span from one port to another I should not expect to see all frames.  ...makes sense now that I think about it.

Post #3
Void Main
10 Nov 2005, 22:33

Sniff the bridge interface br0.

Post #4
Rupan
11 Nov 2005, 10:32

AFAIK wireless is different enough from wierd that promiscuous isn't enough.  If you want to sniff ALL traffic going over the airwaves, you'll have to bring down the wireless network interface and put it in monitor mode.  Then you'll need some software (such as kismet) to sniff.

Post #5
Vincent Bernat
11 Nov 2005, 10:38
Rupan wrote:

AFAIK wireless is different enough from wierd that promiscuous isn't enough.  If you want to sniff ALL traffic going over the airwaves, you'll have to bring down the wireless network interface and put it in monitor mode.  Then you'll need some software (such as kismet) to sniff.

When the interface is in monitor mode, tcpdump can sniff too.

Post #6
aaicr
12 Nov 2005, 08:29

I appreciate the replies.

But, I am not using the wireless interface at all.  Have it downed actually. 
I want to sniff all traffic hitting one of the wired interfaces.  -I guess- the problem is that since the wired ports are switched, the br0 interface only sees frames the switch will send it (which would be multicast or broadcast frames or frames actually destined to one of the interfaces).  On a "regular" switch I would have to set up a port span to mirror all frames the wired port sees to the internal port (port 5, right?).

Post #7
Void Main
12 Nov 2005, 14:07

I have never seen a way to select ports for span (monitor/mirroring) so if the capability exists in the switch nobody has exposed it as far as I have seen. This has been asked a few times before. The only way you'll be able to sniff the traffic on the switch is to either not run it through a switch and plug a hub into one of the ports or separate each port into their own vlan and then sniff each vlan but that's a lot of extra work and complexity.

The discussion might have continued from here.