Cannot disable promiscuous mode

asdf

Hopefully this is in the right section.

I am trying to remove the "PROMISC" flag from an interface but it won't go away. Currently running pfSense 2.0.1 but had the same problem while trying 2.1-beta.

This is what happens. I'm root, and it doesn't matter if I put the interface down.

$ ifconfig ath0_wlan0
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
(...)
$ ifconfig ath0_wlan0 -promisc
$ ifconfig ath0_wlan0
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500</up,broadcast,running,promisc,simplex,multicast></up,broadcast,running,promisc,simplex,multicast> 

Some additional information, output of dmesg -a:

Copyright (c) 1992-2010 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 18:59:41 EST 2011
    root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Geode(TM) Integrated Processor by AMD PCS (498.05-MHz 586-class CPU)
  Origin = "AuthenticAMD"  Id = 0x5a2  Family = 5  Model = a  Stepping = 2
  Features=0x88a93d <fpu,de,pse,tsc,msr,cx8,sep,pge,cmov,clflush,mmx>AMD Features=0xc0400000 <mmx+,3dnow!+,3dnow!>real memory  = 268435456 (256 MB)
avail memory = 243433472 (232 MB)
pnpbios: Bad PnP BIOS data checksum
netisr_init: forcing maxthreads to 1 and bindthreads to 0 for device polling
wlan: mac acl policy registered
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0710010, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc07100b0, 0) error 1
wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/.
wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (wpi_fw, 0xc0883050, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc0710150, 0) error 1
K6-family MTRR support enabled (2 registers)
ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.
cryptosoft0: <software crypto="">on motherboard
padlock0: No ACE support.
pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard
pci0: <pci bus="">on pcib0
Geode LX: PC Engines ALIX.2 v0.99h tinyBIOS V1.4a (C)1997-2007
pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached)
vr0: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1000-0x10ff mem 0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0
vr0: Quirks: 0x2
vr0: Revision: 0x96
miibus0: <mii bus="">on vr0
ukphy0: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus0
ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
vr0: [ITHREAD]
vr1: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1400-0x14ff mem 0xe0040000-0xe00400ff irq 11 at device 10.0 on pci0
vr1: Quirks: 0x2
vr1: Revision: 0x96
miibus1: <mii bus="">on vr1
ukphy1: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus1
ukphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
vr1: [ITHREAD]
vr2: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">port 0x1800-0x18ff mem 0xe0080000-0xe00800ff irq 15 at device 11.0 on pci0
vr2: Quirks: 0x2
vr2: Revision: 0x96
miibus2: <mii bus="">on vr2
ukphy2: <generic ieee="" 802.3u="" media="" interface="">PHY 1 on miibus2
ukphy2:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
vr2: [ITHREAD]
ath0: <atheros 5212="">mem 0xe00c0000-0xe00cffff irq 9 at device 12.0 on pci0
ath0: [ITHREAD]
ath0: AR5212 mac 5.9 RF5112 phy 4.3
isab0: <pci-isa bridge="">port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device 15.0 on pci0
isa0: <isa bus="">on isab0
atapci0: <amd cs5536="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0
ata0: <ata 0="" channel="">on atapci0
ata0: [ITHREAD]
ata1: <ata 1="" channel="">on atapci0
ata1: [ITHREAD]
ohci0: <ohci (generic)="" usb="" controller="">mem 0xefffe000-0xefffefff irq 12 at device 15.4 on pci0
ohci0: [ITHREAD]
usbus0: <ohci (generic)="" usb="" controller="">on ohci0
ehci0: <amd cs5536="" (geode)="" usb="" 2.0="" controller="">mem 0xefffd000-0xefffdfff irq 12 at device 15.5 on pci0
ehci0: [ITHREAD]
usbus1: EHCI version 1.0
usbus1: <amd cs5536="" (geode)="" usb="" 2.0="" controller="">on ehci0
cpu0 on motherboard
orm0: <isa option="" rom="">at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0
atrtc0: <at real="" time="" clock="">at port 0x70 irq 8 on isa0
ppc0: parallel port not found.
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
uart0: [FILTER]
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
uart1: [FILTER]
Timecounter "TSC" frequency 498052821 Hz quality 800
Timecounters tick every 10.000 msec
IPsec: Initialized Security Association Processing.
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1: <amd>at usbus0
uhub0: <amd 1="" 9="" ohci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0
ugen1.1: <amd>at usbus1
uhub1: <amd 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usbus1
ad0: 3823MB <ts4gcf133 20110407="">at ata0-master PIO4 
Root mount waiting for: usbus1 usbus0
uhub0: 4 ports with 4 removable, self powered
Root mount waiting for: usbus1
uhub1: 4 ports with 4 removable, self powered
Trying to mount root from ufs:/dev/ufs/pfsense0
Configuring crash dumps...
Mounting filesystems...
Setting up embedded specific environment...
 done.

     ___
 ___/ f \\
/ p \\___/ Sense
\\___/   \\
    \\___/

Welcome to pfSense 2.0.1-RELEASE  ...

Creating symlinks...
.
.
.
done.
External config loader 1.0 is now starting...
 ad0s3

Launching the init system...
 done.
Initializing...
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
 done.
Starting device manager (devd)...
done.
Loading configuration...
.
.
.
done.
Updating configuration...
done.
Cleaning backup cache...
.
.
.
.
.
done.
Setting up extended sysctls...
done.
Setting timezone...
done.
Starting Secure Shell Services...
done.
Setting up polling defaults...
done.
Setting up interfaces microcode...
done.
Configuring LAGG interfaces...
done.
Configuring VLAN interfaces...
done.
Configuring QinQ interfaces...
done.
Configuring WAN interface...
done.
Configuring AUX1 interface...
done.
Configuring AP0 interface...
done.
Configuring AUX2 interface...
done.
hallo
hallo
hallo
Configuring APBRIDGE interface...
done.
Syncing OpenVPN settings...
done.
Starting syslog...
done.
pflog0: promiscuous mode enabled
Configuring firewall
.
.
.
.
.
.
done.
Starting PFLOG...
done.
Setting up gateway monitors...
done.
Synchronizing user settings...
done.
Starting webConfigurator...
done.
Configuring CRON...
done.
Starting DHCP service...
done.
Starting DNS forwarder...
done.
Configuring firewall
.
.
.
.
.
.
done.
Starting OpenNTP time client...
done.
Starting captive portal... 
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding enabled, default to accept, logging disabled
load_dn_sched dn_sched FIFO loaded
load_dn_sched dn_sched QFQ loaded
load_dn_sched dn_sched RR loaded
load_dn_sched dn_sched WF2Q+ loaded
load_dn_sched dn_sched PRIO loaded
done
Generating RRD graphs...
done.
Starting CRON... 
done.
Bootup complete</ts4gcf133></amd></amd></amd></amd></at></isa></amd></amd></ohci></ohci></ata></ata></amd></isa></pci-isa></atheros></generic></mii></via></generic></mii></via></generic></mii></via></encrypt></pci></host></software></mmx+,3dnow!+,3dnow!></fpu,de,pse,tsc,msr,cx8,sep,pge,cmov,clflush,mmx> 

Snippet of ifconfig:

ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290
        ether 90:a4:de:c7:55:57
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast></hostap></up,broadcast,running,simplex,multicast>

Also, 2.0.1 doesn't seem to show this, but in pfSense 2.1-beta the dmesg -a output contained the following lines:

Creating wireless clone interfaces...
wlan0: changing name to 'ath0_wlan0'
(...)
ath0_wlan0: promiscuous mode enabled

jimp

Are you certain promisc is causing you a problem? Why do you want to disable it?

I believe that's just how it's supposed to operate in that mode.

asdf

@jimp:

Are you certain promisc is causing you a problem? Why do you want to disable it?

I believe that's just how it's supposed to operate in that mode.

I want to put the interface in monitor mode to capture WiFi frames. Supposedly it is promiscuous mode that causes tcpdump to capture network packets instead of data-link frames. (I know, it is an odd purpose for pfSense..)

wallabybob

By default tcpdump puts an interface into promiscuous mode to capture all datalink frames arriving at the interface. (In non-promiscuous mode the NIC accepts only frames addressed to its MAC address, the broadcast address and certain enabled multicast addresses.)

So why do you want to disable promiscuous mode? (I suspect you don't correctly understand promiscuous mode. See description of promiscuous mode in the description of the addm parameter in the ifconfig man page at http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+9.1-RELEASE&arch=default&format=html )

stephenw10

It's been a while since I played around with wifi at the base level but I seem to recall that the hardware cannot be in both hostap mode and monitor mode (or any other mode). Since pfSense does not allow you to select anything but hostap, infrastructure and ad-hoc you may not be able to this, at least not easily.
If you are using virtual APs the interface will need to be in promiscuous mode since each AP has its own MAC. The card must respond to packets addressed to the virtual MAC.

Steve

Edit: typo

cmb

It looks like you're bridging, which requires promiscuous mode to function.

asdf

@wallabybob:

By default tcpdump puts an interface into promiscuous mode to capture all datalink frames arriving at the interface. (In non-promiscuous mode the NIC accepts only frames addressed to its MAC address, the broadcast address and certain enabled multicast addresses.)

So why do you want to disable promiscuous mode? (I suspect you don't correctly understand promiscuous mode. See description of promiscuous mode in the description of the addm parameter in the ifconfig man page at http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+9.1-RELEASE&arch=default&format=html )

Sorry, I was not clear: I'm talking about capturing in a wireless network.

@stephenw10:

It's been a while since I played around with wifi at the base level but I seem to recall that the hardware cannot be in both hostap mode and monitor mode (or any other mode). Since pfSense does not allow you to select anything but hostap, infrastructure and ad-hoc you not be able to this, at least not easily.
If you are using virtual APs the interface will need to be in promiscuous mode since each AP has its own MAC. The card must respond to packets addressed to the virtual MAC.

Steve

That's correct, a WNIC can't function as an AP and monitor at the same time. By executing 'ifconfig ath0_wlan0 monitor' the wireless network is no longer available, so it is not functioning as an AP anymore. However, ifconfig shows that it's still in <hostap>mode, but then with a MONITOR flag.

ath0_wlan0: flags=48943 <up,broadcast,running,promisc,simplex,multicast,monitor>metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast,monitor>

@cmb:

It looks like you're bridging, which requires promiscuous mode to function.

Aha! Indeed, there's a bridge between vr0, vr2 and ath0_wlan0. I'll try removing it from there.</hostap>

wallabybob

I must be missing something.

Is monitor mode incompatible in some way with promiscuous mode?

It seems to me that monitor mode either implies promiscuous (NIC accepts all receive frames) mode (in which case setting monitor and promiscuous mode shouldn't be troublesome) or monitor mode means set the NIC into "read only" mode (no "talking"). If the second interpretation is correct then extrapolating from the wired NIC case, it would seem monitor mode on its own would not be very useful because the NIC wouldn't see any frames addressed to its MAC address (since it doesn't talk so doesn't announce its presence).

A search of the FreeBSD ath, ath_pci, ifconfig and wlan man pages for monitor gave me no grounds for believing monitor mode would cause a WiFi NIC to accept all frames, regardless of destination MAC address. But maybe those documents assume a greater knowledge of the details of 802.11 than I possess.

asdf

Here's what I presume to be the real difference between these modes: http://superuser.com/a/285965/209376

I'm not sure whether they conflict,  but at the moment it's my best guess.

wallabybob

@asdf:

Here's what I presume to be the real difference between these modes: http://superuser.com/a/285965/209376

Thanks for the link. That web page seems oriented to Linux (though the particular question is about Windows 7). Linux information might not be applicable to FreeBSD, the base operating system of pfSense.

@asdf:

I'm not sure whether they conflict,  but at the moment it's my best guess.

You are attempting a capture and not seeing what you expect and looking for the reason? I have done packet capture (tcpdump) on a WiFi interface on one of my pfSense boxes and seen some type of POL frames. But that was with with the WIFi interface acting as an AP or WiFi client. I have not tried monitor mode on a pfSense box.

stephenw10

I confess all my wifi tinkering was using Linux in one form or another.
My thanks also for the link. That sums up what I what thinking better than I could have done.
I fairly sure that monitor mode is a feature of the chipset so I would imagine it exists under any OS. It may not be implemented or usable under FreeBSD, I'd be surprised if it wasn't though.
In my experience you only need to use monitor mode for some the more shady activities in world of wifi.  ;) Not that all of them are necessarily bad. If you want to know what wifi there is in your area, what channel is least congested, you can't beat running kismet for a few hours. That uses monitor mode. What are you trying to do?

Steve

asdf

Well, this is going offtopic, hopefully that's not an issue.. Note that I already had a topic about capturing frames which didn't quite get the attention like this one.

My purpose of using monitor mode is to measure signal strength. Monitoring is certainly kind of shady, but it's for a university research project I'm working on. And science is never shady! ::)

Examples of how I attempt to do this with tcpdump are given here and here. I tried the former approach but haven't yet had the time to do the latter. Here's an example tracefile which contains the exact type of output that I'm looking for.

edit: It is all geared towards Linux indeed. But like you said, I'm doubtful that FreeBSD is incapable of doing the same thing. If anything it must be the FreeBSD Atheros driver not supporting Monitor, or the Promisc mode on the interface is actually causing problems. I'll have time in the evening to try and see if the latter is the case.

stephenw10

If you are using pfSense as a base for this I would probably start with the atheros inerface unassigned. Otherwise you will be fighting the system as it tries to put card in hostap mode (or whatever you've selected).
Sounds like an interesting project anyway.  :)

Steve

asdf

The horror when you find out the solution has been waiting under your nose the whole time.  :-\

Basically I had to combine the methods from both approaches in my previous post. That is, cloning the ath0 interface, putting that in monitor mode, and then running tcpdump with the -y ieee802_11_radio argument.

$ ifconfig wlan create wlandev ath0
$ ifconfig wlan1 down
$ ifconfig wlan1 monitor 
$ ifconfig wlan1 channel 4 #monitor desired channel
$ ifconfig wlan1 up
$ ifconfig wlan1
wlan1: flags=48843 <up,broadcast,running,simplex,multicast,monitor>metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%wlan1 prefixlen 64 scopeid 0xc
        nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
        ssid "" channel 4 (2427 MHz 11g)
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
        roam:rate 5 protmode OFF wme burst
$ tcpdump -y ieee802_11_radio -n -e -tttt -vvv -i wlan1 -s 0</performnud,accept_rtadv></up,broadcast,running,simplex,multicast,monitor> 

Beacon frames and probe requests/responses all over the place. The topic question isn't solved, but at least my problem is :) Thanks for thinking along guys, really helped me get a better perspective on things and to reach the idea of combining said approaches.

kaczor1984

If someone will find this topic I've got one remark.
Initializing the monitor mode in 'separate lines' (like in the post above) didn't work for me.
I had to do it in one line with:

ifconfig wlan create wlandev ath0 wlanmode monitor
ifconfig wlan1 up

Interface options for reference:

wlan1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
        ether 00:80:48:64:63:57
        inet6 fe80::280:48ff:fe64:6357%wlan1 prefixlen 64 scopeid 0xb 
        nd6 options=43 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <monitor>
        status: running
        ssid "" channel 11 (2462 MHz 11g) bssid 00:80:48:64:63:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 protmode OFF wme burst</monitor></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast>