I. Promiscuous and Non-Promiscuous Network Interface Operation

Upon reading a frame, an interface must make some decisions as to how it is to process that frame.
Firstly, a CRC (Cyclic Redundancy Check) check is performed by the network hardware to determine if the frame was corrupted whilst in transit. If so, the frame is discarded. If not, it is handed off to the device driver at the link level of the protocol stack. What happens next depends on the frame destination address and whether the interface is in promiscuous mode or not.

An interface running in non-promiscuous mode will only read frames addressed to its ARP/MAC address (e.g., 08:00:20:4b:1e:24), the network broadcast address (e.g., ff:ff:ff:ff:ff:ff) and, if the interface is part of a multicast group, the network multicast address (e.g., 01:00:5e:00:40:20). All other frames are ignored and, as a result, will not be passed up the protocol stack for further processing.

An interface running in promiscuous mode is interested in all frames traversing the network and will pass every frame up the protocol stack, regardless of its destination ARP/MAC address.

II. Examples of Packet Sniffer Usage

- To pinpoint and debug network congestion/latency related problems stemming, for example, from faulty network hardware (eg. malfunctioning ethernet switches), network services (eg. slow NFS file service performance) or denial of service attacks, such as ICMP broadcast storms.

- Password and data theft (unfortunately). Not all networks are switched and rsh, in addition to telnet, still find usage on both internal and external networks.

III. Project ifchk

ifchk is a tool for network interface promiscuous mode detection, management and traffic trend analysis. The following list discusses ifchk's core functions.

- Report on the state (normal, down, PROMISC, etc) of each interface attached to the system.

- Shutdown all interfaces running in promiscuous mode, if told to do so.

- Report per-interface traffic metrics to help identify spikes in network traffic flow that may warrant further investigation.

- Log everything that it finds via the syslog facility.

IV. ifchk Implementation

At its core, ifchk uses ioctl commands to get and set network device (interface) characteristics via the sending and receiving of messages to and from the operating system kernel. In the case of ifchk, this includes learning of the configured interfaces present on the system, their operational flags (UP, BROADCAST, RUNNING, PROMISC, etc) and performing interface shutdown.

ifchk uses the following ioctl commands:

SIOCGIFCONF: get a list of all network interfaces present on the system.

SIOCGIFFLAGS: get interface flags to determine if the interface is normal (up and in non-promiscuous mode), down, promisc, etc.

SIOCSIFFLAGS: set flags on an interface. ifchk uses this to shutdown promiscuous interfaces.

More information on ioctl, including its user interface, can be found in ioctl(2).

V. ifchk Related Links

Project ifchk Webpage
SGI Third Party Applications Directory
Freshmeat
SecurityFocus
SourceFORGE