Promiscuous ports under Linux
Peter Pearson
pkpearson at nowhere.invalid
Thu May 4 12:33:51 EDT 2017
On Thu, 04 May 2017 10:26:45 GMT, alister <alister.ware at ntlworld.com> wrote:
> On Wed, 03 May 2017 23:57:49 +0000, Peter Pearson wrote:
>
>> Cobbling together a minimalist ethernet-sniffing program, I was hoping
>> to use this simple mechanism for setting the socket to "promiscuous
>> mode" (to see all traffic going past, instead of just traffic addressed
>> to my machine):
>>
>> s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
>>
>> Unfortunately, it seems that that mechanism is available under Windows
>> but not under Linux. Googling around for Linux equivalents, I found
>> only very contorted solutions, and concluded that maybe this lacuna
>> persists because Linux users find it convenient to invoke promiscuous
>> mode from the command line, instead:
>>
>> $ sudo ip link set eth0 promisc on $ netstat -i # (Verify
>> that the P flag is set.)
>>
>> This somehow fails: my sniffer continues to see only broadcasts,
>> but if I run dumpcap at the same time, dumpcap captures lots of traffic.
>>
>> So my question is now two questions:
>>
>> . Is it true that going permiscuous under Linux must be somewhat ugly?
>> (It's OK if it is, I'll just copy the ugly code and get moving
>> again.)
>>
>> . Why doesn't the command-line "promisc on" work? (Granted, this is
>> maybe a Linux question.)
>>
>> Thanks.
>
> any particular reason why you wish to re-invent this particular wheel
> when wireshark is freely available (& the de-facto tool of choice for
> most network engineers)
I'm curious to survey all my LAN traffic in various ways, and it seems
likely that I will see phenomena that I don't understand, and focussing
in on those phenomena is likely to require more flexible filtering
than Wireshark can provide. I expect to leave this process running for
maybe 24 hours at a stretch, maybe longer, with real-time alerts when
interesting things occur.
Maybe Wireshark can do everything I'll ever need to do, but it seems
so complicated, and Python seems so simple . . .
--
To email me, substitute nowhere->runbox, invalid->com.
More information about the Python-list
mailing list