[Snort-users] Promiscuouls Mode Question

Sun Sep 2 09:24:02 EDT 2001

On Sun, 2 Sep 2001, Jim Kipp wrote:

> If I run snort or tcpdump(on eth0), then do ifconfig -a eth0, it does
> not report PROMISC. Only when I manually set promisc does it report it.
> But tcpdump seems to be sniffing everything.  Is this normal?

Well, I'm not a cable modem user, but I play one in 'The Young and The
Restless'...  ;-)

Seriously, look at the traffic.  Is it only traffic bound for your IP?  If so,
you're seeing what you should be when not in promisc mode.  If that's the
case, then yes, it's all working as it should.

Try doing a 'tcpdump not host <foo>' with <foo> being your host.  If you see
traffic to/from other boxes other than ARP, then there is something kinda odd
going on.

Hope this helps!

Erek Adams

