Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Is this behaviour normal?

    General pfSense Questions
    3
    5
    388
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian last edited by

      When I checked my daily log report I noticed that every interface on em0/em1 did:

      May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode disabled
      (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)
      followed by
      May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode enabled
      (Message repeated for WAN: em0 - LAN: em1 + em1:everyVLAN)

      Is this normal? The system wasn't rebooted--infact it had been up for over 60 days.

      I decided to reboot pfSense just in case there was something funny going on. Is there anything else I need to investigate? What causes this kind of thing to happen?

      If you find my post useful, please give it a thumbs up!
      pfSense 2.5.2-RELEASE-CE

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by bmeeks

          As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

          G 1 Reply Last reply Reply Quote 0
          • G
            guardian @bmeeks last edited by

            @bmeeks said in Is this behaviour normal?:

            As @KOM stated, the two IDS/IPS packages of Snort and Suricata will by default flip the interface they are installed on to promiscuous mode so they can sniff everything traversing hitting the interface. Suricata does give the user the option of disabling promiscuous mode, though. It's on the INTERFACE SETTINGS tab when you edit a configured Suricata interface.

            @KOM said in Is this behaviour normal?:

            It's normal if you happen to have packages installed that would flip the NIC into promiscuous mode as part of their normal operations, like snort.

            Thanks very much for the replies. I haven't had either Snort or Suricata installed recently as I found the setup to be more than I had time to deal with.

            Here are the packages I currently have installed:
            arping
            Backup
            Cron
            darkstat
            iftop
            iperf
            mailreport
            nmap
            notes
            nut
            openvpn-client-export
            pfBlockerNG
            RRD_Summary
            Softflowd
            Status_Traffic_Totals
            stunnel
            sudo
            syslog-ng

            Any thoughts?

            If you find my post useful, please give it a thumbs up!
            pfSense 2.5.2-RELEASE-CE

            1 Reply Last reply Reply Quote 0
            • KOM
              KOM last edited by

              Maybe nmap? You certainly are running ever package under the Sun 😀

              1 Reply Last reply Reply Quote 0
              • First post
                Last post