How to avoid the “promiscuous mode” messages being logged repeatedly in /var/log/messages?

The Soluition

– During normal operation, a network interface filters out received unicast traffic which is not directly addressed to the host. In this way, the host OS never sees the unwanted traffic and therefore does not waste time processing it.

– When a network interface is in promiscuous mode all filters are removed so the OS sees every packet received by the interface regardless of how it is addressed.

– Packet capture programs typically put an interface into promiscuous mode while they run. For tcpdump, this feature can be disabled by running it with the -p option set.

– Promiscuous mode means the network interface does not reject traffic where the destination MAC address is not the NIC’s own MAC address. This mode is used for packet capturing or network monitoring.

– If you check the interface for which these messages are being logged in ip or ifconfig command, you would see the “PROMISC” flag set on it. For example:

# ip link show eth3 
 2: eth0: [BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast qlen 1000 
 link/ether 52:54:00:4b:72:87 brd ff:ff:ff:ff:ff:ff

 

To avoid these messages being logged, there are several options:

 

1. Filter Log Messages

1. To avoid the messages being logged to /var/log/messages, filter the messages out with a line in /etc/rsyslog.conf such as:

 

# cat /etc/rsyslog.conf
:msg, contains, "promiscuous mode"    ~

# tilde in the above filter ignores the message to be logged in /var/log/messages file.

 

2. Now, restart the rsyslog service for the changes to take effect.

 

# service rsyslog restart        ### For CentOS/RHEL 6
# systemctl restart rsyslog      ### For CentOS/RHEL 7

 

2. Avoid Repeated Logging of Entering and Leaving Promisc Mode

The command “ip link set dev ethX promisc on” can be used to enable promiscuous mode, and you can confirm it with ip link. The device will have the PROMISC flag:

2: ethX: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 2: ethX: [BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP] mtu 1500

 

You can apply this on boot and ifup by writing /sbin/ifup-local as described below:

#!/bin/bash
if [ "$1" == "eth4" ] || [ "$1" == "eth5" ] || [ "$1" == "bond0" ]; then
  /sbin/ip link set dev "$1" promisc on
fi

 

3. Prevent User Application Setting Interface Promisc

Identify the application causing the device to enter promiscuous mode. Stop the program or script making socket calls which enable promisc mode, or stop using the program or script. This is most often a packet capture program such as tcpdump, tshark, or Wireshark, however some network monitoring utilities also enable this mode.

Was this answer helpful? 0 Users Found This Useful (0 Votes)