Advisory 2006-0905
09/05/2006: ifchk Promiscuous Detection Failure & Linux Kernel 2.6

Updates
02/25/2007: Added kernel 2.6.20 to Description section, below
12/14/2006: Added kernel 2.6.19 to Description section, below
11/25/2006: Added kernels 2.6.17 and 2.6.18 to Description section, below
11/15/2006: Added kernels 2.6.14 to 2.6.16 to Description section, below

Overview
ifchk is not reporting promiscuous interface activity under certain Linux kernel 2.6 revisions.

Test Environment
Arch:   x86
Dist:   Debian Linux 3.1
Kernel: 2.6
CC:     gcc 3.3.5-13
Libc:   glibc 2.3.2

Note that other hardware/software combinations may also exhibit this behavior. I have not, however, received any other such reports.

Description
Testing of ifchk under Linux kernel 2.6.0 to 2.6.20 has revealed that ifchk is not reporting promiscuous interface activity under the following 2.6 kernel versions:

2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19, 2.6.20

All test kernels were built from www.kernel.org sources using the default build configuration as generated by `make menuconfig`.

ifchk utilizes the netlink(7) and rtnetlink(7) kernel subsystems in performing interface status detection under Linux. It is felt that this inaccurate reporting of promiscuous interface activity is the result of changes made to the above two kernel subsystems in kernels 2.6.9 to 2.6.20, inclusive.

Solution
Do not use ifchk for promiscuous mode detection under Linux kernels 2.6.9 to 2.6.20, inclusive.
ifchk Beta 5 (currently under development) will address this issue.

Testing indicates that ifchk running under Linux kernels 2.6.0 to 2.6.8 does not exhibit the above behavior.