How do you turn off Promiscuous Mode on an Ethernet Adapter

[jcjamesx]

In Mac OS X (specifically 10.4.3), how do you turn off promiscuous mode on an Ethernet adapter? Is there a setting somewhere? A unix command? A utility? Any help would be very appreciated!

[acme.mail.order]

Try a cold shower and some stern lectures on the dangers of unprotected, casual communication. If that's unsuccessful look for a 12-step program in your area. If it still doesn't settle down with one regular node (up to 4 in Utah) then look for convents or military academies.

[jcjamesx]

K, if anybody else can help, it'd be really appreciated!

[trevor]

Are you running snort/Henwen?

Trevor

[voldenuit]

sudo chmod 000 /dev/bpf?

[hayne]

Quote: Originally Posted by jcjamesx how do you turn off promiscuous mode on an Ethernet adapter?

Please tell us more about your situation.
In particular, how do you know it is in promiscuous mode? What programs are you running? Etc. Full details.

[jcjamesx]

Quote: Originally Posted by hayne Please tell us more about your situation. In particular, how do you know it is in promiscuous mode? What programs are you running? Etc. Full details.

I don't know for a fact that it's promiscuous mode but it does appear to be and I'm not alone in seeing this. The only change I made to the system was installing Mac OS 10.4.3. It's happening to every lab with 4.3 on it, but no labs that have 4.2, and it began happening right after the upgrade.

Another person that was having the same problem said this to me:
_________________________________________
I've noticed this too. I'll explain my situation, and then why I think it's happening.

We have a massive 24-port 100 Mbit hub at work in our computer lab, and when I take my 12" iBook G4 to work, I usually hook it up to one of the ports on the hub (we have no wireless). Local LAN access and Internet access have always been snappy, even though we're on a hub and our lab network is pretty heavily-trafficked. As you know, hubs are pretty "dumb" devices in that whatever comes in one port is repeated to all the other ports -- the hub leaves it up to the Ethernet adapter/OS on the receiving side to filter out the Ethernet frames that are not meant for that station.

This used to never be a problem up until I showed up at work one day with 10.4.3 installed.

We have a FreeBSD server running Samba that we dump benchmarks and other huge data onto. As soon as a friend of mine started a ~15 GB transfer, my network access went to ****. My ping times to the local server were abysmal, my transfer rates to the local server were in the tens of kilobytes, and the Internet was pretty much unusable.

What seems to have happened is that the Ethernet adapters have been put into promiscuous mode with 10.4.3. What that means is that the adapter accepts everything as being meant for it, and leaves it up to the OS to filter the packets. This, unfortunately, completely kills your network connection if you're receiving thousands of packets per second that are not meant for you. Within about one hour I had clocked up something like 1 million discarded packets.
_________________________________________

I am seeing the exact things where I am too on only the 10.4.3 computers. My problem is that the network will have to filter so many packets that when you try to load a program from the server, it will take forever when it use to just take a few seconds, and that ARD will now drop connection everytime you use it because it can't keep up.

I thought with all the tech minded people here, this would be the best place to ask my question about turning it off if there is an option/utility/command to do so.

[voldenuit]

100 MBit +hubs+ are antique.

Get a decent switch and make it Gigabit while you're at it.

Rolling back to 10.4.2 is another option.
I've seen several reports here which look like there might indeed be a problem with 10.4.3 networking performance but no well-researched analysis of the problem although it is likely to be in Darwin, so it should be in plain sight.

[jcjamesx]

Quote: Originally Posted by voldenuit 100 MBit +hubs+ are antique. Get a decent switch and make it Gigabit while you're at it. Rolling back to 10.4.2 is another option. I've seen several reports here which look like there might indeed be a problem with 10.4.3 networking performance but no well-researched analysis of the problem although it is likely to be in Darwin, so it should be in plain sight.

In our situation, we have 100MB switches for all computers and gigabit for between buildings.

[trevor]

Quote: Originally Posted by jcjamesx I don't know for a fact that it's promiscuous mode but it does appear to be and I'm not alone in seeing this. The only change I made to the system was installing Mac OS 10.4.3. It's happening to every lab with 4.3 on it, but no labs that have 4.2, and it began happening right after the upgrade.

Can you please give us the results of the Terminal command

ifconfig

on one of the computers running 10.4.3 where you believe it to be in promiscuous mode?

Also, you've never answered my question about snort/Henwen.

Trevor

[jcjamesx]

Quote: Originally Posted by trevor Can you please give us the results of the Terminal command ifconfig on one of the computers running 10.4.3 where you believe it to be in promiscuous mode? Also, you've never answered my question about snort/Henwen. Trevor

Neither Snort or Henwen are running.

The output gives:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::230:65ff:fef2:13a6%en0 prefixlen 64 scopeid 0x4
inet 10.193.3.25 netmask 0xffff0000 broadcast 10.193.255.255
ether 00:30:65:f2:13:a6
media: autoselect (100baseTX <full-duplex>) status: active
supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback>
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030
lladdr 00:30:65:ff:fe:f2:13:a6
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>

[trevor]

Quote: Originally Posted by jcjamesx en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

I do not believe that you are running in Promiscuous mode. I am purposely running in Promiscuous mode, since I am using Henwen/snort (which gives you a checkbox for this option), and my ifconfig shows:

Code:

en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

Note the "PROMISC" notation.

One possible difference is that I am using 10.3.9 on this particular computer, whereas you are on 10.4.x, but I believe that "PROMISC" should show on a Tiger computer running in promiscuous mode as well. Can anyone purposely running that mode with Tiger verify this for us?

Trevor

[hayne]

Quote: Originally Posted by trevor I believe that "PROMISC" should show on a Tiger computer running in promiscuous mode as well. Can anyone purposely running that mode with Tiger verify this for us?

I have verified that PROMISC shows up in the output from 'ifconfig' on Tiger (10.4.3) when I am running Ethereal. It doesn't show PROMISC once I quit Ethereal.

[edit] I see now that merely running Ethereal doesn't put the interface into promiscuous mode - it puts it into promiscuous mode when you start a capture, and then it stays in that mode even after the capture has finished. It restores the interface to its previous state when you quit Ethereal.

And I see that there is a preference setting in Ethereal that controls this (under the Capture section) - promiscuous mode is on by default for captures but you can turn it off if you like.

jcjamesx:
So this means that you could run Ethereal and turn off promiscuous mode in the preferences and then do a capture to see what all these packets are that are seeming to interfere with your network.
[/edit]

[trevor]

Thanks hayne. So jcjamesx, it is confirmed that given the output of ifconfig that you showed us, you are not running in Promiscuous mode. As mentioned above, you may want to run Ethereal to see exactly what is actually happening to cause the slowdown you are experiencing, but it does not appear to be due to promiscuous mode.

Trevor

P.S. I wonder how many hits this thread will get from folks Googling for porn?