What's This Log Entry Mean?

Discussion in 'Linux Networking' started by Dan N, Jan 30, 2006.

  1. Dan N

    Dan N Guest

    I'm seeing the following entry in /log/messages every day at about 6:30.
    Can someone tell me what it means? It's a debian sarge system, mail is

    Jan 30 06:30:16 mail kernel: device eth0 left promiscuous mode
    Jan 30 06:30:16 mail kernel: eth0: Setting promiscuous mode.
    Jan 30 06:30:16 mail kernel: device eth0 entered promiscuous mode
    Jan 30 06:30:25 mail syslogd 1.4.1#17: restart.


    Dan N, Jan 30, 2006
    1. Advertisements

  2. Dan N

    Lew Pitcher Guest

    Hash: SHA1

    Normally, ethernet devices only listen for traffic addressed to their own
    ethernet address. However, it sometimes becomes necessary to ask the ethernet
    device to listen to all the traffic on the network, for diagnostic or
    configuration purposes. This abnormal state is called "promiscuous mode".

    The first line here says that the system is removing the "promiscuous mode"
    listening from eth0, presumably as a result of a timed request to the process
    that is listening to the network traffic.

    This line says that the kernel is re-instituting "promiscuous mode" on eth0.

    This line says that "promiscuous mode" has been instituted on eth0.

    So, some process is again listening to /all/ the network traffic, not just to
    traffic directed at eth0's NIC.

    Your system log daemon has been restarted. Presumably, this is in response to
    a scheduled event, likely one that rotates system logs.

    As far as I can tell, all the above log lines are 'normal' and do not, on
    their own, signify that there is any problem. However, the fact that eth0 is
    being held in promiscuous mode continuiously /may/ be suspicious; it may be as
    a result of your configuration, or it may be a network sniffer collecting (and
    presumably analysing/recording) traffic on your LAN. You might want to
    investigate this further.

    - --
    Lew Pitcher

    Master Codewright & JOAT-in-training | GPG public key available on request
    Registered Linux User #112576 (http://counter.li.org/)
    Slackware - Because I know what I'm doing.
    Version: GnuPG v1.2.7 (GNU/Linux)

    -----END PGP SIGNATURE-----
    Lew Pitcher, Jan 30, 2006
    1. Advertisements

  3. Dan N

    Dan N Guest

    Thanks. It's probably snort doing this?

    Dan N, Jan 30, 2006
  4. Dan N

    Tauno Voipio Guest

    Yes. Your Snort has been restarted.

    So does also e.g. ntop.
    Tauno Voipio, Jan 30, 2006
  5. Dan N

    Vaxius Guest

    I believe most programs which scan continuously for APs usually put the
    wireless port into promiscuous mode. However, eth0 shouldn't be a
    wireless interface. I guess I haven't really answered anything, but maybe
    it will help.
    Vaxius, Feb 2, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.