Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this behaviour normal?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 944 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      guardian Rebel Alliance
      last edited by

      When I checked my daily log report I noticed that every interface on em0/em1 did:

      May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode disabled
      (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)
      followed by
      May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode enabled
      (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)

      Is this normal? The system wasn't rebooted--infact it had been up for over 60 days.

      I decided to reboot pfSense just in case there was something funny going on. Is there anything else I need to investigate? What causes this kind of thing to happen?

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

        1 Reply Last reply Reply Quote 0
        • bmeeksB Offline
          bmeeks
          last edited by bmeeks

          As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

          G 1 Reply Last reply Reply Quote 0
          • G Offline
            guardian Rebel Alliance @bmeeks
            last edited by

            @bmeeks said in Is this behaviour normal?:

            As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

            @KOM said in Is this behaviour normal?:

            It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

            Thanks very much for the replies. I haven't had either Snort or Suricata installed recently as I found the setup to be more than I had time to deal with.

            Here are the packages I currently have installed:
            arping
            Backup
            Cron
            darkstat
            iftop
            iperf
            mailreport
            nmap
            notes
            nut
            openvpn-client-export
            pfBlockerNG
            RRD_Summary
            Softflowd
            Status_Traffic_Totals
            stunnel
            sudo
            syslog-ng

            Any thoughts?

            If you find my post useful, please give it a thumbs up!
            pfSense 2.7.2-RELEASE

            1 Reply Last reply Reply Quote 0
            • KOMK Offline
              KOM
              last edited by

              Maybe nmap? You certainly are running ever package under the Sun 😀

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.