HDK Technical Reference

Promiscuous mode

Network adapter drivers normally process only those network frames containing the MAC address of the device they control or broadcast addresses. When promiscuous mode is enabled, network frames bound for any MAC address are received and passed to the MDI consumer, whether a kernel driver or user program. This can be useful for network troubleshooting; network monitors and other tools rely on promiscuous mode.

The SVR5 and SCO OpenServer 5 MDI specification provides optional support for promiscuous mode; it is not required. To implement promiscuous mode in an MDI driver, you must code a switch statement to process the MDI MACIOC_PROMISC ioctl. For SVR5 MDI drivers, the bcfg(DSP/4dsp) file includes the mandatory PROMISCUOUS parameter that must be set to true if the driver supports promiscuous mode, or false if it does not.

These MDI elements mandate promiscuous mode behavior:

open(D2mdi): must disable promiscuous mode if it was set by a previous MAC user that had closed the driver before open was called. Also, to ensure that open is not called more than one time before close is called, the driver should fail subsequent calls to open.
close(D2mdi): must disable promiscuous mode when the MDI device is closed
M_IOCTL(D7str): includes a switch statement to process the MACIOC_PROMISC ioctl
The DL_PROMISCON_REQ primitive is defined for DLPI 2.x (SVR5 and SCO OpenServer 5 Release 5) and the DLPI 1.x equivalent is the DLIOCSPROMISC ioctl. Note, however, that these primitives are NAK'ed by the DLPI module because promiscuous mode is not implemented through DLPI. The only way to implement promiscuous mode for SVR5 and SCO OpenServer 5 Release 5 is with MDI.

To access an MDI device in promiscuous mode:

Open the /dev/mdi device.
Send a MAC_BIND_REQ(D7mdi) primitive to the device with the putmsg or putmsg(S) system call.
Send a MACIOC_PROMISC ioctl to enable promiscuous mode.
Read all frames with getmsg or getmsg(S) until ``done''.
Close the file descriptor for the /dev/mdi device.

On SCO OpenServer 5 systems, the /dev/mdi device is normally opened at boot time, before the system goes to single-user state. To use promiscuous mode in an SCO OpenServer 5 driver, you must do the following:

Enter ksl.disable at the boot: prompt:
```
   Boot
   :defbootstr ksl.disable
```
Remove the name of the network card from the /var/opt/K/SCO/lli/*/llimdi file so that the DLPI module does not do an exclusive open of the /dev/mdi device in non-promiscuous mode.

Promiscuous mode must be disabled when MDI drivers are opened (they are usually opened by the ``DLPI'' module), and the DLPI module will not pass the MACIOC_PROMISC ioctl to the driver, because the underlying DL_PROMISCON_REQ primitive is NAKed on /dev/netX devices. Because MDI drivers support only one open per device, it is not possible to open the network adapter for both a protocol stack and a network monitoring application at the same time. It is therefore necessary to devote an entire network adapter to running network monitors in promiscuous mode, or to use the network adapter card in single-user mode before dlpid has started.

NOTE: It is possible to circumvent these constraints by creating a ``tap'' driver that would allow a single device to be in promiscuous mode, pass appropriate frames to the DLPI module, and pass all frames to a network monitor. For more information, see CERT (Computer Emergency Response Team) Coordination Center advisories concerning network monitoring attacks, available at:

http://www.cert.org

You can also circumvent the exclusive open nature for /dev/mdi devices by running the application in single-user mode (so that dlpid is not running) or by commenting out the line pertaining to the network driver in the /etc/inst/nd/dlpimdi file before starting dlpid. Modifying the dlpimdi file is not recommended for production drivers although it is a useful trick when debugging a driver.

Drivers for devices that have the capability should be coded to support promiscuous mode but this is not a requirement and some hardware cannot support promiscuous mode. On SVR5 systems, you can determine if the configured network cards support promiscuous mode, with the following command:

   # echo promiscuous | ndcfg

You can also look for PROMISCUOUS=true in the SVR5 /etc/inst/nd/mdi/*/*.bcfg files.

See ndcfg and bcfg(DSP/4dsp) for more information.

MDI support for promiscuous mode differs from earlier driver architectures, where multiple opens were enabled:

``DLPI'' and ``ODI'' drivers (SCO SVR5 1 and 2) can issue the DL_BIND_REQ DLPI primitive to the PROMISCUOUS_SAP sap. The following STREAMS ioctls can then be sent:

DLIOCGPROMISC
Determine state of promiscuous mode (on/off).

DLIOCSGPROMISC
Toggle state of promiscuous mode (on/off).