So many “NIC in promiscuous” MODE in My Network

0

Posted by kuswara | Posted in Computer | Posted on 23-02-2010

In computing, promiscuous mode or promisc mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it — a feature normally used for packet sniffing, and bridged networking for hardware virtualization.



Each frame includes the hardware (Media Access Control) address. When a network card receives a frame, it normally drops it unless the frame is addressed to that card. In promiscuous mode, however, the card allows all frames through, thus allowing the computer to read frame intended for other machines or network devices.

Many operating systems require superuser privileges to enable promiscuous mode. A non-routing node in promiscuous mode can generally only monitor traffic to and from other nodes within the same collision domain (for Ethernet and Wireless LAN) or ring (for Token ring or FDDI). Computers attached to the same network hub satisfy this requirement, which is why network switches are used to combat malicious use of promiscuous mode. A router may monitor all traffic that it routes.

Promiscuous mode is often used to diagnose network connectivity issues. There are programs that make use of this feature to show the user all the data being transferred over the network. “Some protocols like FTP and Telnet transfer data and passwords in clear text, without encryption, and network scanners can see this data”. Therefore, computer users are encouraged to stay away from insecure protocols like telnet and use more secure ones such as SSH.

Promiscuous mode is also used by transparent network bridges in order to capture all traffic that needs to pass the bridge so that it can be retransmitted on the other side of the bridge.

> 1) What exactly is promiscuous mode? 

Promiscuous mode means the network card sends all traffic received to the
kernel for processing, even if it wasn't destin for the MAC address of that
card.  In normal mode, traffic not destin for that card is dropped and the
kernel never sees it.

> 2) Why might it be considered a bad thing?

Once the card is placed in promiscuous mode, users on your system can use
packet sniffers to sniff network traffic without needing root privs on
your system.  The NIC is promiscuous for the whole machine.

> 3) How do I disable it if it really is bad?

ifconfig should allow you to do this.

> 4) What are the effects of disabling it?

Pretty much the reverse of #2.  If you're running may types of scanning

software, or network sniffers, they will put the card in promisc mode.