[clug] iptables to simulate promiscuous interface

[jm]

James Polley wrote:
> There is nothing more worthy of contempt than a man who quotes himself
> - Zhasper, 2004
>
>
> It's been a while since I've played with this, but I don't think
> there's any way to "simulate" putting the interface into promiscuous
> mode. If it's being promiscuous it will forward up the stack all
> frames it received; if it isn't being promiscuous, it will only
> forward up the stack packets addressed to it - and so iptables will
> never get a chance to see the packet.
>   
Great. Can't seem to catch a break today.
> Normally you'd have your netflow collector somewhere central: last
> time I set one up, it was on the router that forwarded all traffic to
> Teh Interwebs. It got to see all the traffic because it was the
> default gateway for all machines on the network - but it didn't see
> any chatter between the hosts on the network.
>   

That's the one thing I can guarrantee this router sees everything 
flowing through the network.
> If you don't have fprobe running in such a place, the libpcap variant
> of fprobe might work for you better, especially given that you've
> confirmed that libpcap can see the packets.
>
> Out of curiosity: if the card is set in promiscuous mode (by running
> tcpdump), does iptables then see the traffic?
>   

No I thought of this after I sent the email (I set it via ifconfig eth2 
promisc). It's a good idea, but it doesn't work. I took a look at the 
amount of traffic that the router is mirroring onto this link it's well 
over 100Mbps.

Since the last email I sent I've also been able to show that I'm losing 
about 50% of the traffic (using libpcap based fprobe and flow-capture 
from flow-tools) by the time it hit the flow files on the disk. This is 
based on comparing the usage of two customers who independently record 
theire usage and comparing it to what I captured for the period of one 
day. So something is really a miss somewhere.


Jeff.