Promiscuous mode

[bhawley]

I started to put this in the Pub. Backroom, but felt this was the best place

I just installed Tomato Version 1.18 on my Linksys Wrt54g. The following line shows up
in the log files. Vlan1 refers to my 622 dvr. If I disconnect the 622 the entry no longer appears.

May 2 17:49:23 user.info kernel: device vlan1 entered promiscuous mode

From what I have Googled about promiscuous mode this may not be a good thing. Anyone have any info or advice?

 

[Pepper]

Miscellaneous factoids pulled directly out of my head (or other appropriate part of my anatomy) without looking up any current references so YMMV:

Promiscuous mode is useful if you're running a packet analyzer such as Ethereal, and you are connected using a hub instead of a switch.

Promiscuous means in this case that the adapter processes and passes on to the network stack all packets it sees on the wire, not just the packets intended for its mac address. This allows your packet analyzing software to see everything going on at the network level.

If you're using a switch, Promiscuous Mode is not very useful, because the switch maintains a list of which macs are on which switch ports, as opposed to a hub, which simply acts as a repeater sending all received packets to all ports.

You can use a packet analyzer with a switch and without promiscuous mode but you'll only be able to analyze the packets going directly to or from the computer the analyzer is running on.

Since the ViP622 is apparently using promiscuous mode, you could assume they might be using it to detect other devices on the network, maybe other ViP receivers it wants to talk to. Or they could even be doing something more surreptitious such as recording all dns requests from other computers to see if you visit the competition or hacker sites. Who knows, but if it's connected to a switch it won't see much.

 

[John Kotches]

In promiscuous mode on a switched network, you should also see packets for the network and broadcast addresses.

 

[bhawley]

Thanks Pepper. The 622 is cable connected to the Linksys Wrt54g wireless router.
Would you consider this a switch in this situation?

 

[Pepper]

yes, that router has a 4-port integrated switch. As John said, it would see packets to/from itself, the network and broadcast addresses but not much else.

With it being Dish, I tend to believe it's just lazy/sloppy programming rather than for any particular networking purpose.

 

[John Kotches]

yes, that router has a 4-port integrated switch. As John said, it would see packets to/from itself, the network and broadcast addresses but not much else.

With it being Dish, I tend to believe it's just lazy/sloppy programming rather than for any particular networking purpose.

There's using a Linux port; so I have doubts about it being sloppy programming.

 

[Pepper]

Not accusing Linux of being sloppy, maybe promiscuous is the default setting of whatever network driver they are using, and Dish programmers didn't bother to change it. Or do you think there's a more useful or nefarious reasoning behind it?

 

[Foxbat]

What I wonder is how the LinkSys knows the 622 is in Promiscuous Mode since a truly promiscuous device doesn't put anything on the LAN while capturing everything that comes its way. I wonder how Tomato determined that a Promiscuous device was present?

 

[bhawley]

What I wonder is how the LinkSys knows the 622 is in Promiscuous Mode since a truly promiscuous device doesn't put anything on the LAN while capturing everything that comes its way. I wonder how Tomato determined that a Promiscuous device was present?

This is from the log at the first boot of Tomato:

Dec 31 16:00:06 user.warn kernel: tomato_ct.c [Apr 13 2008 15:37:51]
Dec 31 16:00:06 user.info kernel: vlan0: dev_set_promiscuity(master, 1)
Dec 31 16:00:06 user.info kernel: device eth0 entered promiscuous mode
Dec 31 16:00:06 user.info kernel: device vlan0 entered promiscuous mode
Dec 31 16:00:06 user.info kernel: device wds0.49153 entered promiscuous mode
Dec 31 16:00:06 user.info kernel: device wds0.49154 entered promiscuous mode
Dec 31 16:00:06 user.info kernel: device eth1 entered promiscuous mode
Dec 31 16:00:06 user.info kernel: r0: port 4(eth1) entering learning state
Dec 31 16:00:06 user.info kernel: br0: port 3(wds0.49154) entering learning state
Dec 31 16:00:06 user.info kernel: br0: port 2(wds0.49153) entering learning state
Dec 31 16:00:06 user.info kernel: br0: port 1(vlan0) entering learning state
Dec 31 16:00:06 user.warn kernel: vlan1: Setting MAC address to 00 14 bf 2a 67 9f.
Dec 31 16:00:06 user.info kernel: br0: port 4(eth1) entering forwarding state
Dec 31 16:00:06 user.info kernel: br0: topology change detected, propagating
Dec 31 16:00:06 user.info kernel: br0: port 3(wds0.49154) entering forwarding state
Dec 31 16:00:06 user.info kernel: br0: topology change detected, propagating
Dec 31 16:00:06 user.info kernel: br0: port 2(wds0.49153) entering forwarding state
Dec 31 16:00:06 user.info kernel: br0: topology change detected, propagating
Dec 31 16:00:06 user.info kernel: br0: port 1(vlan0) entering forwarding state
Dec 31 16:00:06 user.info kernel: br0: topology change detected, propagating
Dec 31 16:00:06 user.info kernel: vlan1: add 01:00:5e:00:00:01 mcast address to master interface
Dec 31 16:00:06 cron.notice crond[95]: crond 2.3.2 dillon, started, log level 9
Dec 31 16:00:06 user.info init[1]: Tomato 1.18.1441
Dec 31 16:00:06 user.info init[1]: Linksys WRT54G/GS/GL

 

[JamesJ]

Sorry that no one has said it, but if my router was promiscuous, I would worry about Infection to other devices that plug into it...okay sorry but it had to be said, back to thread

 

[John Kotches]

Not accusing Linux of being sloppy, maybe promiscuous is the default setting of whatever network driver they are using, and Dish programmers didn't bother to change it. Or do you think there's a more useful or nefarious reasoning behind it?

I think they set it to debug the driver and forgot to turn it off before it went to GA code.

 

[Pepper]

Forgot? I'm shocked, shocked you could think such a thing!

I think they set it to debug the driver and forgot to turn it off before it went to GA code.

Aha! Now that's exactly the sort of thing I was implying. That's the Echostar software QA team we all know and love.

By the way this is my 4000th post. My fingers are tired. Only 28,239 more before I catch up to Iceberg!