Cannot disable promiscuous mode
-
Hopefully this is in the right section.
I am trying to remove the "PROMISC" flag from an interface but it won't go away. Currently running pfSense 2.0.1 but had the same problem while trying 2.1-beta.
This is what happens. I'm root, and it doesn't matter if I put the interface down.
$ ifconfig ath0_wlan0 ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 (...) $ ifconfig ath0_wlan0 -promisc $ ifconfig ath0_wlan0 ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500</up,broadcast,running,promisc,simplex,multicast></up,broadcast,running,promisc,simplex,multicast>
Some additional information, output of dmesg -a:
Copyright (c) 1992-2010 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 18:59:41 EST 2011 root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Geode(TM) Integrated Processor by AMD PCS (498.05-MHz 586-class CPU) Origin = "AuthenticAMD" Id = 0x5a2 Family = 5 Model = a Stepping = 2 Features=0x88a93d <fpu,de,pse,tsc,msr,cx8,sep,pge,cmov,clflush,mmx>AMD Features=0xc0400000 <mmx+,3dnow!+,3dnow!>real memory = 268435456 (256 MB) avail memory = 243433472 (232 MB) pnpbios: Bad PnP BIOS data checksum netisr_init: forcing maxthreads to 1 and bindthreads to 0 for device polling wlan: mac acl policy registered ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0710010, 0) error 1 ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc07100b0, 0) error 1 wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/. wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (wpi_fw, 0xc0883050, 0) error 1 ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc0710150, 0) error 1 K6-family MTRR support enabled (2 registers) ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309) ACPI: Table initialisation failed: AE_NOT_FOUND ACPI: Try disabling either ACPI or apic support. cryptosoft0: <software crypto="">on motherboard padlock0: No ACE support. pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard pci0: <pci bus="">on pcib0 Geode LX: PC Engines ALIX.2 v0.99h tinyBIOS V1.4a (C)1997-2007 pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached) vr0: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1000-0x10ff mem 0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0 vr0: Quirks: 0x2 vr0: Revision: 0x96 miibus0: <mii bus="">on vr0 ukphy0: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr0: [ITHREAD] vr1: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1400-0x14ff mem 0xe0040000-0xe00400ff irq 11 at device 10.0 on pci0 vr1: Quirks: 0x2 vr1: Revision: 0x96 miibus1: <mii bus="">on vr1 ukphy1: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus1 ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr1: [ITHREAD] vr2: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1800-0x18ff mem 0xe0080000-0xe00800ff irq 15 at device 11.0 on pci0 vr2: Quirks: 0x2 vr2: Revision: 0x96 miibus2: <mii bus="">on vr2 ukphy2: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus2 ukphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr2: [ITHREAD] ath0: <atheros 5212="">mem 0xe00c0000-0xe00cffff irq 9 at device 12.0 on pci0 ath0: [ITHREAD] ath0: AR5212 mac 5.9 RF5112 phy 4.3 isab0: <pci-isa bridge="">port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device 15.0 on pci0 isa0: <isa bus="">on isab0 atapci0: <amd cs5536="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0 ata0: <ata 0="" channel="">on atapci0 ata0: [ITHREAD] ata1: <ata 1="" channel="">on atapci0 ata1: [ITHREAD] ohci0: <ohci (generic)="" usb="" controller="">mem 0xefffe000-0xefffefff irq 12 at device 15.4 on pci0 ohci0: [ITHREAD] usbus0: <ohci (generic)="" usb="" controller="">on ohci0 ehci0: <amd cs5536="" (geode)="" usb="" 2.0="" controller="">mem 0xefffd000-0xefffdfff irq 12 at device 15.5 on pci0 ehci0: [ITHREAD] usbus1: EHCI version 1.0 usbus1: <amd cs5536="" (geode)="" usb="" 2.0="" controller="">on ehci0 cpu0 on motherboard orm0: <isa option="" rom="">at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0 atrtc0: <at real="" time="" clock="">at port 0x70 irq 8 on isa0 ppc0: parallel port not found. uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 uart0: [FILTER] uart0: console (9600,n,8,1) uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0 uart1: [FILTER] Timecounter "TSC" frequency 498052821 Hz quality 800 Timecounters tick every 10.000 msec IPsec: Initialized Security Association Processing. usbus0: 12Mbps Full Speed USB v1.0 usbus1: 480Mbps High Speed USB v2.0 ugen0.1: <amd>at usbus0 uhub0: <amd 1="" 9="" ohci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0 ugen1.1: <amd>at usbus1 uhub1: <amd 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usbus1 ad0: 3823MB <ts4gcf133 20110407="">at ata0-master PIO4 Root mount waiting for: usbus1 usbus0 uhub0: 4 ports with 4 removable, self powered Root mount waiting for: usbus1 uhub1: 4 ports with 4 removable, self powered Trying to mount root from ufs:/dev/ufs/pfsense0 Configuring crash dumps... Mounting filesystems... Setting up embedded specific environment... done. ___ ___/ f \\ / p \\___/ Sense \\___/ \\ \\___/ Welcome to pfSense 2.0.1-RELEASE ... Creating symlinks... . . . done. External config loader 1.0 is now starting... ad0s3 Launching the init system... done. Initializing... . . . . . . . . . . . . . . . . . . . . . . . . . done. Starting device manager (devd)... done. Loading configuration... . . . done. Updating configuration... done. Cleaning backup cache... . . . . . done. Setting up extended sysctls... done. Setting timezone... done. Starting Secure Shell Services... done. Setting up polling defaults... done. Setting up interfaces microcode... done. Configuring LAGG interfaces... done. Configuring VLAN interfaces... done. Configuring QinQ interfaces... done. Configuring WAN interface... done. Configuring AUX1 interface... done. Configuring AP0 interface... done. Configuring AUX2 interface... done. hallo hallo hallo Configuring APBRIDGE interface... done. Syncing OpenVPN settings... done. Starting syslog... done. pflog0: promiscuous mode enabled Configuring firewall . . . . . . done. Starting PFLOG... done. Setting up gateway monitors... done. Synchronizing user settings... done. Starting webConfigurator... done. Configuring CRON... done. Starting DHCP service... done. Starting DNS forwarder... done. Configuring firewall . . . . . . done. Starting OpenNTP time client... done. Starting captive portal... ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding enabled, default to accept, logging disabled load_dn_sched dn_sched FIFO loaded load_dn_sched dn_sched QFQ loaded load_dn_sched dn_sched RR loaded load_dn_sched dn_sched WF2Q+ loaded load_dn_sched dn_sched PRIO loaded done Generating RRD graphs... done. Starting CRON... done. Bootup complete</ts4gcf133></amd></amd></amd></amd></at></isa></amd></amd></ohci></ohci></ata></ata></amd></isa></pci-isa></atheros></generic></mii></via></generic></mii></via></generic></mii></via></encrypt></pci></host></software></mmx+,3dnow!+,3dnow!></fpu,de,pse,tsc,msr,cx8,sep,pge,cmov,clflush,mmx>
Snippet of ifconfig:
ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290 ether 90:a4:de:c7:55:57 media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap> status: running ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 ether 90:a4:de:c7:55:57 inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9 nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap> status: running ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57 regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30 scanvalid 60 burst -apbridge dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast></hostap></up,broadcast,running,simplex,multicast>
Also, 2.0.1 doesn't seem to show this, but in pfSense 2.1-beta the dmesg -a output contained the following lines:
Creating wireless clone interfaces... wlan0: changing name to 'ath0_wlan0' (...) ath0_wlan0: promiscuous mode enabled
-
Are you certain promisc is causing you a problem? Why do you want to disable it?
I believe that's just how it's supposed to operate in that mode.
-
Are you certain promisc is causing you a problem? Why do you want to disable it?
I believe that's just how it's supposed to operate in that mode.
I want to put the interface in monitor mode to capture WiFi frames. Supposedly it is promiscuous mode that causes tcpdump to capture network packets instead of data-link frames. (I know, it is an odd purpose for pfSense..)
-
By default tcpdump puts an interface into promiscuous mode to capture all datalink frames arriving at the interface. (In non-promiscuous mode the NIC accepts only frames addressed to its MAC address, the broadcast address and certain enabled multicast addresses.)
So why do you want to disable promiscuous mode? (I suspect you don't correctly understand promiscuous mode. See description of promiscuous mode in the description of the addm parameter in the ifconfig man page at http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+9.1-RELEASE&arch=default&format=html )
-
It's been a while since I played around with wifi at the base level but I seem to recall that the hardware cannot be in both hostap mode and monitor mode (or any other mode). Since pfSense does not allow you to select anything but hostap, infrastructure and ad-hoc you may not be able to this, at least not easily.
If you are using virtual APs the interface will need to be in promiscuous mode since each AP has its own MAC. The card must respond to packets addressed to the virtual MAC.Steve
Edit: typo
-
It looks like you're bridging, which requires promiscuous mode to function.
-
By default tcpdump puts an interface into promiscuous mode to capture all datalink frames arriving at the interface. (In non-promiscuous mode the NIC accepts only frames addressed to its MAC address, the broadcast address and certain enabled multicast addresses.)
So why do you want to disable promiscuous mode? (I suspect you don't correctly understand promiscuous mode. See description of promiscuous mode in the description of the addm parameter in the ifconfig man page at http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+9.1-RELEASE&arch=default&format=html )
Sorry, I was not clear: I'm talking about capturing in a wireless network.
It's been a while since I played around with wifi at the base level but I seem to recall that the hardware cannot be in both hostap mode and monitor mode (or any other mode). Since pfSense does not allow you to select anything but hostap, infrastructure and ad-hoc you not be able to this, at least not easily.
If you are using virtual APs the interface will need to be in promiscuous mode since each AP has its own MAC. The card must respond to packets addressed to the virtual MAC.Steve
That's correct, a WNIC can't function as an AP and monitor at the same time. By executing 'ifconfig ath0_wlan0 monitor' the wireless network is no longer available, so it is not functioning as an AP anymore. However, ifconfig shows that it's still in <hostap>mode, but then with a MONITOR flag.
ath0_wlan0: flags=48943 <up,broadcast,running,promisc,simplex,multicast,monitor>metric 0 mtu 1500 ether 90:a4:de:c7:55:57 inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9 nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast,monitor>
@cmb:
It looks like you're bridging, which requires promiscuous mode to function.
Aha! Indeed, there's a bridge between vr0, vr2 and ath0_wlan0. I'll try removing it from there.</hostap>
-
I must be missing something.
Is monitor mode incompatible in some way with promiscuous mode?
It seems to me that monitor mode either implies promiscuous (NIC accepts all receive frames) mode (in which case setting monitor and promiscuous mode shouldn't be troublesome) or monitor mode means set the NIC into "read only" mode (no "talking"). If the second interpretation is correct then extrapolating from the wired NIC case, it would seem monitor mode on its own would not be very useful because the NIC wouldn't see any frames addressed to its MAC address (since it doesn't talk so doesn't announce its presence).
A search of the FreeBSD ath, ath_pci, ifconfig and wlan man pages for monitor gave me no grounds for believing monitor mode would cause a WiFi NIC to accept all frames, regardless of destination MAC address. But maybe those documents assume a greater knowledge of the details of 802.11 than I possess.
-
Here's what I presume to be the real difference between these modes: http://superuser.com/a/285965/209376
I'm not sure whether they conflict, but at the moment it's my best guess.
-
Here's what I presume to be the real difference between these modes: http://superuser.com/a/285965/209376
Thanks for the link. That web page seems oriented to Linux (though the particular question is about Windows 7). Linux information might not be applicable to FreeBSD, the base operating system of pfSense.
I'm not sure whether they conflict, but at the moment it's my best guess.
You are attempting a capture and not seeing what you expect and looking for the reason? I have done packet capture (tcpdump) on a WiFi interface on one of my pfSense boxes and seen some type of POL frames. But that was with with the WIFi interface acting as an AP or WiFi client. I have not tried monitor mode on a pfSense box.
-
I confess all my wifi tinkering was using Linux in one form or another.
My thanks also for the link. That sums up what I what thinking better than I could have done.
I fairly sure that monitor mode is a feature of the chipset so I would imagine it exists under any OS. It may not be implemented or usable under FreeBSD, I'd be surprised if it wasn't though.
In my experience you only need to use monitor mode for some the more shady activities in world of wifi. ;) Not that all of them are necessarily bad. If you want to know what wifi there is in your area, what channel is least congested, you can't beat running kismet for a few hours. That uses monitor mode. What are you trying to do?Steve
-
Well, this is going offtopic, hopefully that's not an issue.. Note that I already had a topic about capturing frames which didn't quite get the attention like this one.
My purpose of using monitor mode is to measure signal strength. Monitoring is certainly kind of shady, but it's for a university research project I'm working on. And science is never shady! ::)
Examples of how I attempt to do this with tcpdump are given here and here. I tried the former approach but haven't yet had the time to do the latter. Here's an example tracefile which contains the exact type of output that I'm looking for.
edit: It is all geared towards Linux indeed. But like you said, I'm doubtful that FreeBSD is incapable of doing the same thing. If anything it must be the FreeBSD Atheros driver not supporting Monitor, or the Promisc mode on the interface is actually causing problems. I'll have time in the evening to try and see if the latter is the case.
-
If you are using pfSense as a base for this I would probably start with the atheros inerface unassigned. Otherwise you will be fighting the system as it tries to put card in hostap mode (or whatever you've selected).
Sounds like an interesting project anyway. :)Steve
-
The horror when you find out the solution has been waiting under your nose the whole time. :-\
Basically I had to combine the methods from both approaches in my previous post. That is, cloning the ath0 interface, putting that in monitor mode, and then running tcpdump with the -y ieee802_11_radio argument.
$ ifconfig wlan create wlandev ath0 $ ifconfig wlan1 down $ ifconfig wlan1 monitor $ ifconfig wlan1 channel 4 #monitor desired channel $ ifconfig wlan1 up $ ifconfig wlan1 wlan1: flags=48843 <up,broadcast,running,simplex,multicast,monitor>metric 0 mtu 1500 ether 90:a4:de:c7:55:57 inet6 fe80::92a4:deff:fec7:5557%wlan1 prefixlen 64 scopeid 0xc nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect) status: no carrier ssid "" channel 4 (2427 MHz 11g) regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30 bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode OFF wme burst $ tcpdump -y ieee802_11_radio -n -e -tttt -vvv -i wlan1 -s 0</performnud,accept_rtadv></up,broadcast,running,simplex,multicast,monitor>
Beacon frames and probe requests/responses all over the place. The topic question isn't solved, but at least my problem is :) Thanks for thinking along guys, really helped me get a better perspective on things and to reach the idea of combining said approaches.
-
If someone will find this topic I've got one remark.
Initializing the monitor mode in 'separate lines' (like in the post above) didn't work for me.
I had to do it in one line with:ifconfig wlan create wlandev ath0 wlanmode monitor ifconfig wlan1 up
Interface options for reference:
wlan1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 ether 00:80:48:64:63:57 inet6 fe80::280:48ff:fe64:6357%wlan1 prefixlen 64 scopeid 0xb nd6 options=43 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <monitor> status: running ssid "" channel 11 (2462 MHz 11g) bssid 00:80:48:64:63:57 regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30 scanvalid 60 protmode OFF wme burst</monitor></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast>