promiscuous mode?

[Super Bee]

Noticed this in the on my RT-N66U router log. Is this anything to be concerned about?

Dec 5 16:23:15 unknown user.info kernel: device vlan1 left promiscuous mode
Dec 5 16:23:15 unknown user.info kernel: br0: port 1(vlan1) entering disabled state
Dec 5 16:23:15 unknown user.info kernel: device eth1 left promiscuous mode
Dec 5 16:23:15 unknown user.info kernel: br0: port 2(eth1) entering disabled state
Dec 5 16:23:15 unknown user.info kernel: device eth2 left promiscuous mode
Dec 5 16:23:15 unknown user.info kernel: br0: port 3(eth2) entering disabled state
Dec 5 16:23:16 unknown user.notice kernel: klogd: exiting
Dec 5 16:23:16 unknown syslog.info syslogd exiting
Dec 5 16:23:16 unknown syslog.info syslogd started: BusyBox v1.21.1
Dec 5 16:23:16 unknown user.notice kernel: klogd started: BusyBox v1.21.1 (2013-11-19 20:39:02 CET)
Dec 5 16:23:16 unknown user.err syslog: module usbcore not found in modules.dep
Dec 5 16:23:16 unknown user.debug kernel: vlan1: add 33:33:00:00:00:01 mcast address to master interface
Dec 5 16:23:16 unknown user.debug kernel: vlan1: add 01:00:5e:00:00:01 mcast address to master interface
Dec 5 16:23:16 unknown user.info kernel: device eth1 entered promiscuous mode
Dec 5 16:23:16 unknown user.info kernel: device eth2 entered promiscuous mode​

 

[RMerlin]

No, this is normal.

 

[Super Bee]

No, this is normal.

Good to know.

I was concerned over the previous mention from the log about a possible DNS-rebind attack.

So what is promiscuous mode?

Thanks.

 

[thiggins]

No, this is normal.

Why is it normal for devices to enter promiscuous mode?

 

[canuckle]

Happens to all routers as they get older and start testing their boundaries and trying to find themselves ...

Sorry, couldn't resist!


Sent from my iPhone using Tapatalk

 

[RMerlin]

Why is it normal for devices to enter promiscuous mode?

From what I understand, this is required since the interfaces (LAN, 2.4 and 5 GHz) are bridged together under br0.

I also saw a recent DD-WRT commit where, after testing out with promiscuous mode disabled for a while, Brainslayer re-enabled it, as otherwise some packets would fail to get forwarded between the interfaces on the bridge.

This is different from having, for example, a single computer's NIC in promisc mode, which is usually only needed when doing traffic sniffing.

 

[RMerlin]

Good to know.

I was concerned over the previous mention from the log about a possible DNS-rebind attack.

So what is promiscuous mode?

Thanks.

promiscuous mode means that a given network interface will accept all frames it gets sent, not just those it was specifically expecting to see.

 

[Super Bee]

So it's not some outside source that is doing the sniffing? Reading the log, it seemed to me that something using BusyBox was capturing all of the outgoing packets. Guess I shouldn't read too much into the router's log!

 

[Pericynthion]

You'll notice it normally only does it when the radio goes up/down or makes a config change. As per Merlins' note, its primarily so it receives input over that virtual bridge from the kernel itself before it moves into 'operational' mode.

 

[RMerlin]

So it's not some outside source that is doing the sniffing? Reading the log, it seemed to me that something using BusyBox was capturing all of the outgoing packets. Guess I shouldn't read too much into the router's log!

The log entries are unrelated. The entry related to Busybox merely reports the fact that Busybox's log daemon has been started. Busybox is a multipurpose binary that allows to combine a lot of basic Linux functionalities into one single binary, to save on space in embedded devices.