What is promiscuous mode?
In computer networking, promiscuous mode is a mode of operation, as well as a security, monitoring and administration technique. In promiscuous mode, a network device, such as an adapter on a host system, can intercept and read in its entirety each network packet that arrives.
This mode applies to both a wired network interface card and wireless NIC. In both cases, it causes the controller to pass all traffic it receives to the central processing unit instead of just the frames it is specifically programmed to receive.
This enables a network monitoring tool to examine the content of the transmission for potential threats.
In an Ethernet local area network (LAN), promiscuous mode ensures that every data packet that is transmitted is received and read by a network adapter. This means the adapter does not filter packets. Instead, it passes each packet on to the operating system (OS) or any monitoring application installed on the network.
Within the network, this mode of operation is used for packet sniffing, the practice of collecting and logging packets that pass through the network for further analysis, such as the analysis of traffic or bandwidth usage.
Promiscuous mode and packet sniffing
With packet sniffing, it's possible to run tcpdump for specific interfaces. Tcpdump is a free network packet analyzer software that enables users to display Transmission Control Protocol/Internet Protocol (TCP/IP) and other packets being transmitted or received over a network. It runs under a command-line interface. Wireshark is another popular packet sniffing program. Most packet sniffers in use today are software-based -- although hardware packet sniffers are also used.
Any network interface attached to a network can receive every bit of traffic. However, most are configured not to do so. The software packet sniffer adopts promiscuous mode to change this configuration. This enables the interface or adapter to pass all network traffic up the stack, regardless of the packets' destination addresses.
The packet sniffer collects all the traffic flowing through the physical interface, separates or reassembles it as required, and then logs it as per the network's requirement.
The network adapter is in promiscuous mode given the following:
- It was manually configured using the ifconfig command or the ip link set.
- A monitoring tool is used.
In a bridge network, the NIC may be required to operate in promiscuous mode. In that case, the mode must be supported by each network adapter, as well as by the input/output driver in the host OS. Some OSes require superuser privileges to enable this mode.
Promiscuous mode can also be configured so that the packet data is accessible to a guest OS or a visitor on the host system.
What is non-promiscuous mode?
In promiscuous mode, the NIC allows all frames through, so even frames intended for other machines or network devices can be read. But, in non-promiscuous mode, when the NIC receives a frame, it drops it unless it is addressed to its specific media access control address or is a broadcast or multicast addressed frame.
So, when a data packet is transmitted in non-promiscuous mode, all the LAN devices listen to the data to determine if their network address is included in the packet. If it's not, the packet is passed onto the next LAN device until the correct network address is reached. That device then reads the data.
What are the drawbacks of promiscuous mode?
Promiscuous mode is often used to monitor network activity and to diagnose connectivity issues. It is sometimes given to a network snoop server that captures and saves all packets for analysis, for example, to monitor network usage.
However, due to its ability to access all network traffic on a segment, this mode is considered unsafe. For example, in a system with multiple virtual machines, promiscuous mode makes it possible for every host to see all network packets destined for all other VMs on that system, not just packets destined for their VMs.
While debugging problems, however, tcpdump with the NIC should not be used in promiscuous mode because tcpdump will not show which data packets the system accepts under normal conditions. Relying on the IP addresses in the tcpdump's output to determine the right packet will yield incorrect insights.
If the Ethernet address display is not turned on and the NIC is in promiscuous mode, it will – incorrectly -- show that there are no problems on the network. This may lead to network outages. To prevent such issues, it's important to use non-promiscuous mode or turn on the Ethernet address display in tcpdump.
How to turn off promiscuous mode on a NIC
To enable promiscuous mode on a physical NIC, run this command -- as laid out by Citrix support documents for its XenServer virtualization platform -- in the text console: # ifconfig eth0 promisc.
Run the ifconfig command, and notice the outcome:
eth0 Link encap:Ethernet HWaddr 00:1D:09:08:94:8A
inet6 addr: fe80::21d:9ff:fe08:948a/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:23724 errors:0 dropped:0 overruns:0 frame:0
TX packets:7517 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:2169478 (2.0 MiB) TX bytes:5423377 (5.1 MiB)
To disable promiscuous mode, run this command on the XenServer text console: # ifconfig eth0 –promisc.
Run the ifconfig command again.