Re: Interface promiscuity obscurity in Linux

[Jim Mellander <jmellander () lbl gov>]

My sniffer detector, update, which (unfortunately) is only a binary
release at this moment pending legalities, uses the following technique
for Solaris:

For all possible interfaces (le, hme, etc), find head of stream linked
list for that interface by examining kernel symbols:  for hme, for
instance, the kernel symbol is 'hmestrup'

This points to a linked list of open streams for that interface (the
structure of which is in the header file hme.h, etc).

Walk the list looking at the flag for that stream, until you reach a
null pointer, which is the end of the stream list.

Then check the next possible interface.

Some trickiness in supporting 32 bit & 64 bit kernels in the same
binary.  Unfortunately, it hasn't been updated for sunblade yet..


For solaris x86, a similar approach is used, except there is only one
linked list, but it links back to the beginning.

For Linux 2.2, it actually steps thru the linked list of devices,
ignoring the first one, which is the loopback, then reads the flags from
kernel memory.


Heres a non error-checking code snippet for Solaris hme (details of
32/64 bit stuff omitted):

struct nlist nl[] = {
    { "hmestrup"    },
    { 0             }
};
int retval=0;

/* Open the kernel memory file Read/Write */
memfd=open("/dev/kmem",O_RDWR);

/* Get the namelist entry for the interface */
nlist("/dev/ksyms", nl);

hmeaddr = nl[0].n_value;
while (hmeaddr != NULL)   {
    lseek(memfd,(off_t) hmeaddr, SEEK_SET);
    read(memfd, (void *) &hmestr, (size_t) sizeof(struct hmestr));

    if (hmestr.sb_flags & HMESALLPHYS)  retval++;

    hmeaddr = hmestr.sb_nextp;
}

return retval;


update is available at ftp://lassie.lbl.gov


Casper Dik wrote:
> > The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by
> > ioctl(SIOCSIFFLAGS).
>
> This is the same reason why Promiscuous mode is never reported by
> "ifconfig" in Solaris 2.0 and later.
>
> In Solaris, ifconfig primarily (or perhaps only) deals with the
> "IP (or other network stack) plumbing" on devices; in that context
> the "promiscuous" flag has no meaning either.
>
> A number of Solaris device drivers export the fact whether they're
> promiscuous using the "kstat" (kernel statistics) interface; unfortunately
> not all devices support that yet.
>
> $ kstat -p :::promisc
> elxl:0:elxl0:promisc    off
>
> We need to fix this for most SPARC hardware still.
>
> Casper

-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

Your fortune for today is:

One Bell System - it works.