Is this behaviour normal?



  • When I checked my daily log report I noticed that every interface on em0/em1 did:

    May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode disabled
    (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)
    followed by
    May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode enabled
    (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)

    Is this normal? The system wasn't rebooted--infact it had been up for over 60 days.

    I decided to reboot pfSense just in case there was something funny going on. Is there anything else I need to investigate? What causes this kind of thing to happen?



  • It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.



  • As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.



  • @bmeeks said in Is this behaviour normal?:

    As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

    @KOM said in Is this behaviour normal?:

    It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

    Thanks very much for the replies. I haven't had either Snort or Suricata installed recently as I found the setup to be more than I had time to deal with.

    Here are the packages I currently have installed:
    arping
    Backup
    Cron
    darkstat
    iftop
    iperf
    mailreport
    nmap
    notes
    nut
    openvpn-client-export
    pfBlockerNG
    RRD_Summary
    Softflowd
    Status_Traffic_Totals
    stunnel
    sudo
    syslog-ng

    Any thoughts?



  • Maybe nmap? You certainly are running ever package under the Sun 😀


Log in to reply