[clug] iptables to simulate promiscuous interface
jeffm at ghostgun.com
Tue Jan 13 06:50:09 GMT 2009
James Polley wrote:
> There is nothing more worthy of contempt than a man who quotes himself
> - Zhasper, 2004
> It's been a while since I've played with this, but I don't think
> there's any way to "simulate" putting the interface into promiscuous
> mode. If it's being promiscuous it will forward up the stack all
> frames it received; if it isn't being promiscuous, it will only
> forward up the stack packets addressed to it - and so iptables will
> never get a chance to see the packet.
Great. Can't seem to catch a break today.
> Normally you'd have your netflow collector somewhere central: last
> time I set one up, it was on the router that forwarded all traffic to
> Teh Interwebs. It got to see all the traffic because it was the
> default gateway for all machines on the network - but it didn't see
> any chatter between the hosts on the network.
That's the one thing I can guarrantee this router sees everything
flowing through the network.
> If you don't have fprobe running in such a place, the libpcap variant
> of fprobe might work for you better, especially given that you've
> confirmed that libpcap can see the packets.
> Out of curiosity: if the card is set in promiscuous mode (by running
> tcpdump), does iptables then see the traffic?
No I thought of this after I sent the email (I set it via ifconfig eth2
promisc). It's a good idea, but it doesn't work. I took a look at the
amount of traffic that the router is mirroring onto this link it's well
Since the last email I sent I've also been able to show that I'm losing
about 50% of the traffic (using libpcap based fprobe and flow-capture
from flow-tools) by the time it hit the flow files on the disk. This is
based on comparing the usage of two customers who independently record
theire usage and comparing it to what I captured for the period of one
day. So something is really a miss somewhere.
More information about the linux