Promiscuous ports under Linux

Peter Pearson pkpearson at nowhere.invalid
Thu May 4 12:33:51 EDT 2017 

On Thu, 04 May 2017 10:26:45 GMT, alister <alister.ware at ntlworld.com> wrote:
> On Wed, 03 May 2017 23:57:49 +0000, Peter Pearson wrote:
>
>> Cobbling together a minimalist ethernet-sniffing program, I was hoping
>> to use this simple mechanism for setting the socket to "promiscuous
>> mode" (to see all traffic going past, instead of just traffic addressed
>> to my machine):
>> 
>>     s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
>> 
>> Unfortunately, it seems that that mechanism is available under Windows
>> but not under Linux.  Googling around for Linux equivalents, I found
>> only very contorted solutions, and concluded that maybe this lacuna
>> persists because Linux users find it convenient to invoke promiscuous
>> mode from the command line, instead:
>> 
>>     $ sudo ip link set eth0 promisc on $ netstat -i        # (Verify
>>     that the P flag is set.)
>> 
>> This somehow fails: my sniffer continues to see only broadcasts,
>> but if I run dumpcap at the same time, dumpcap captures lots of traffic.
>> 
>> So my question is now two questions:
>> 
>>  . Is it true that going permiscuous under Linux must be somewhat ugly?
>>    (It's OK if it is, I'll just copy the ugly code and get moving
>>    again.)
>> 
>>  . Why doesn't the command-line "promisc on" work?  (Granted, this is
>>    maybe a Linux question.)
>> 
>> Thanks.
>
> any particular reason why you wish to re-invent this particular wheel 
> when wireshark is freely available (& the de-facto tool of choice for 
> most network engineers)

I'm curious to survey all my LAN traffic in various ways, and it seems
likely that I will see phenomena that I don't understand, and focussing
in on those phenomena is likely to require more flexible filtering
than Wireshark can provide.  I expect to leave this process running for
maybe 24 hours at a stretch, maybe longer, with real-time alerts when
interesting things occur.

Maybe Wireshark can do everything I'll ever need to do, but it seems
so complicated, and Python seems so simple . . .

-- 
To email me, substitute nowhere->runbox, invalid->com.

More information about the Python-list mailing list