IFCHK(1)IFCHK(1)NAMEifchk - host based promiscuous mode detection and handling
SYNOPSISifchk [ -d ] [ -i ] [ -h ] [ -v ]
DESCRIPTIONifchk scans the systems network interfaces to see if any
of them are running in promiscuous mode. This is the
case if a given configured network interface is receiving
copies of all packets traversing the network medium as
opposed to just those that are specifically addressed to
it. By default, ifchk starts by writing to standard out-
put a count of all interfaces present on the system fol-
lowed by the display of per-interface specific informa-
tion.
For each interface, a name/unit number pairing (e.g. ef0
) and corresponding state is printed. An interface can be
in one of four different states which are enumerated as
follows:
PROMISC: The interface is operating in promiscuous
mode and is processing all traffic regardless
of traffic target address.
PROMISC [*]: Identical to PROMISC above with the addition
of the subsequent disabling of the promiscu-
ous interface. See the '-d' flag in OPTIONS
below.
normal: The interface is operating normally and is
ignoring all network traffic not specifically
addressed to it or the broadcast address.
*down*: The interface is down and is not processing
network traffic at all.
All state information is written to the master system log
via syslogd (1M) once per ifchk invocation in addition to
standard output as mentioned above.
OPTIONSifchk functionality can be modified with the addition of
one of a possible four command line arguments and will not
accept more than one argument per invocation. The program
returns a descriptive error message before it exits should
it encounter this situation. This is also the way that
malformed command line sequences (e.g. ifchk-dd, ifchk d,
ifchk -) are handled. Command line options are as fol-
lows:
-d Shutdown a network interface if it is found to be
running in promiscuous mode. State two or "PROMISC
[*]" as described in the DESCRIPTION section above
is then appended to the interfaces name with "[*]"
denoting its disabling. Data transfer will not be
possible until the interface is marked up via
ifconfig (1M). This functionality draws upon ker-
nel services that require root privileges and
_will_ fail for non-root users. This option is
silently ignored if invoked by root and no
interfaces are found to be in the promiscuous
state.
-i Display metrics describing network traffic flow
across all configured interfaces attached to the
system. For each interface, print its name/unit
number pairing, index, input packet count and out-
put packet count. That a metrics dump was per-
formed is logged via syslog (1M). This information
is provided with a view towards allowing system
administrators to recognize changes in interface
traffic volume (e.g. spikes) that are inconsistent
with established traffic trends.
-h Print a usage message summarizing the four command
line arguments that are accepted by ifchk.
-v Print the program revision, host runtime environ-
ment data and information showing the date and time
that ifchk was compiled. Runtime environment data
includes the name of the system on which ifchk is
running, its operating system name, operating sys-
tem release and resident hardware/CPU type.
EXAMPLE OUTPUTinterface(s): 3
ec0: PROMISC [*]
lo0: normal
ppp0: *down*
Default output on a host with three network interfaces.
Here, interface ec0 was running in promiscuous mode and
was therefore disabled.
SEE ALSOifconfig(1M), syslogd(1M)AUTHOR
Joshua Birnbaum <engineer@noorg.org>.
COPYRIGHT
Copyright (C) 2002, 2003 Joshua Birnbaum.
All Rights Reserved.
IFCHK(1)