How to check if a network interface is in promiscuous mode in Linux

Introduction

In this lab, you will learn how to check if a network interface in Linux is operating in promiscuous mode. Promiscuous mode allows a network interface to capture all network traffic it receives, regardless of the destination address, which is essential for network monitoring and analysis.

You will explore three different methods to determine the promiscuous mode status: using the ip link show command to inspect interface flags, utilizing the tcpdump command to observe packet capture behavior, and examining the interface's configuration within the /sys/class/net filesystem. By completing these steps, you will gain practical skills in verifying network interface configurations in a Linux environment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/FileandDirectoryManagementGroup(["File and Directory Management"]) linux(("Linux")) -.-> linux/RemoteAccessandNetworkingGroup(["Remote Access and Networking"]) linux(("Linux")) -.-> linux/PackagesandSoftwaresGroup(["Packages and Softwares"]) linux/BasicFileOperationsGroup -.-> linux/ls("Content Listing") linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/FileandDirectoryManagementGroup -.-> linux/cd("Directory Changing") linux/RemoteAccessandNetworkingGroup -.-> linux/ifconfig("Network Configuring") linux/RemoteAccessandNetworkingGroup -.-> linux/ping("Network Testing") linux/RemoteAccessandNetworkingGroup -.-> linux/ip("IP Managing") linux/PackagesandSoftwaresGroup -.-> linux/curl("URL Data Transferring") linux/PackagesandSoftwaresGroup -.-> linux/apt("Package Handling") subgraph Lab Skills linux/ls -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/cat -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/cd -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/ifconfig -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/ping -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/ip -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/curl -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} linux/apt -.-> lab-558736{{"How to check if a network interface is in promiscuous mode in Linux"}} end

Check promisc mode with ip link show

In this step, you will learn how to check the promiscuous mode status of a network interface using the ip link show command. Promiscuous mode is a setting for a network interface controller (NIC) that allows it to pass all traffic it receives to the central processing unit (CPU), rather than just the frames that the controller is specifically addressed to. This is often used for network monitoring and analysis.

First, open the terminal if you haven't already. You can do this by clicking the Xfce Terminal icon on the left side of the desktop.

Now, let's use the ip link show command to view the status of your network interfaces. Type the following command and press Enter:

ip link show

You will see output similar to this:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff

Look for the line corresponding to your primary network interface, which is typically named eth0 in this environment. Examine the flags within the angle brackets (<>). If PROMISC is present in these flags, the interface is in promiscuous mode. In the example output above, PROMISC is not present, indicating that eth0 is not in promiscuous mode.

The ip link show command is a fundamental tool for inspecting network interface configurations in Linux. Understanding its output, including the various flags and states, is crucial for network troubleshooting and administration.

Click Continue to proceed to the next step.

Verify with tcpdump -i

In this step, you will use the tcpdump command to verify the promiscuous mode status of a network interface. tcpdump is a powerful command-line packet analyzer. It can capture and display packets being transmitted or received over a network. When an interface is in promiscuous mode, tcpdump can capture all packets on the network segment, regardless of their destination address.

First, you need to install tcpdump. Use the sudo apt install command, similar to how you installed htop in the previous lab.

sudo apt update
sudo apt install tcpdump -y

The -y flag automatically answers yes to any prompts during the installation.

Now, let's use tcpdump to listen on the eth0 interface. We will use the -i option to specify the interface and the -n option to prevent DNS lookups, which makes the output cleaner.

sudo tcpdump -i eth0 -n

You will see output indicating that tcpdump is listening on eth0.

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type ETHERNET (100Mbps), snapshot length 262144 bytes

If the interface is in promiscuous mode, tcpdump will capture all traffic it sees. If it's not in promiscuous mode, it will only capture traffic directed to its MAC address or broadcast/multicast traffic.

To generate some traffic, you can open another terminal window (or a new tab in your current terminal) and try pinging a website, for example:

ping -c 4 google.com

Observe the output in the tcpdump terminal. You should see packets being captured.

Important: To stop tcpdump, press Ctrl + C in the terminal where tcpdump is running.

While tcpdump itself doesn't explicitly state "promiscuous mode" in its initial output, its ability to capture traffic not specifically addressed to the interface is a practical way to confirm if promiscuous mode is active. If you see traffic that isn't related to your own system's communication (like ARP requests from other devices on the network segment), it's a strong indicator of promiscuous mode.

Click Continue to move on.

Inspect interface in /sys/class/net

In this step, you will explore the /sys filesystem to find information about your network interfaces, including the promiscuous mode status. The /sys filesystem is a virtual filesystem in Linux that provides a way to interact with the kernel and device drivers. It exposes information about hardware devices and their configuration.

Navigate to the network interfaces directory within /sys. Use the cd command to change your current directory:

cd /sys/class/net/

Now, list the contents of this directory using the ls command:

ls

You will see a list of your network interfaces, similar to the output of ip link show. You should see eth0 and lo.

eth0  lo

Each directory here corresponds to a network interface. Let's look inside the directory for eth0:

cd eth0

Now, list the files within the eth0 directory:

ls

You will see many files and directories containing information about the eth0 interface. We are interested in the file that indicates the promiscuous mode status. This information is often found in a file related to device flags or state.

While the exact file name can vary slightly depending on the kernel version, a common place to find this information is by examining the contents of files that might contain flags or state information.

Let's try to read the content of a file that might indicate the state or flags. Use the cat command to display the content of a file. For example, you might look for files named flags or similar.

cat flags

The output of the cat flags command will be a hexadecimal number. This number represents a bitmask of various interface flags. To interpret this, you would typically need to refer to the kernel documentation for the specific flags and their corresponding bit values. However, for checking promiscuous mode specifically, there's often a more direct way within /sys.

A more reliable way to check for promiscuous mode within /sys is to look for a file that explicitly indicates the promiscuous flag count. This file is usually named flags or similar, and its content, when interpreted correctly, will show if the promiscuous flag is set.

Let's go back to the /sys/class/net/eth0 directory if you are not already there:

cd /sys/class/net/eth0

Now, let's examine the flags file again. The hexadecimal value in the flags file represents various interface states. While interpreting the hexadecimal value directly requires knowledge of kernel flags, the presence of the PROMISC flag in the ip link show output (from Step 1) is a more user-friendly way to confirm promiscuous mode. The /sys filesystem provides the raw kernel data that tools like ip use.

For a direct check within /sys, you would typically look for a file that specifically indicates the promiscuous count or state. However, in this environment, the most straightforward way to confirm promiscuous mode using standard tools is through ip link show as demonstrated in Step 1. The /sys filesystem provides the underlying data, but interpreting it can be more complex without specific kernel documentation.

This step demonstrates how the /sys filesystem provides low-level access to device information. While directly checking promiscuous mode via a single file in /sys can be complex, understanding this filesystem is valuable for advanced Linux system analysis.

Click Continue to complete this step.

Summary

In this lab, you learned how to check if a network interface is in promiscuous mode in Linux using the ip link show command. This command displays network interface configurations, and the presence of the PROMISC flag indicates promiscuous mode. You also began to explore using the tcpdump command as another method for verifying the promiscuous mode status by capturing network traffic.