Promiscusous mode - when to use it?
-
I'm having a conversation with another forum member and we are disagreeing about the use of Promiscuous Mode.
I say you don't need it for logging things that talk directly to you, only if you are trying to monitor everything on a network connection - and that it requires the use of port mirroring on the switch to be of any use.
Additionally - it's been suggested that you can't know if a phone is busy unless the PBX has promiscuous mode enabled. I don't agree with this either.
So who's right?
Giving some real world context to this.
I am currently having issues with my SIP trunks. My SIP provider says there are no errors in their logs. My PBX vendor (Mitel) tells me that there are dropped keep-alive packets from the SIP trunks. The end result is that users don't always get a dialtone when they reach for the phone, even though there are plenty of SIP Channels free.Mitel has suggested that I disable promiscuous mode (though they of course failed to mention where to disable it).
I have checked the switch that the PBX is plugged into, HP 2824:sh monitor Port Mirroring is currently disabled.and the switch that the SIP trunks get onto the network through, HP 2650 PWR:
sh monitor Port Mirroring is currently disabled.So from my point of view there is nothing more I can do, I have ensured that no extra traffic is flowing down the switch ports beyond what is specifically destined for the PBX/SIP trunks plus broadcast packets.
It's possible promiscuous mode might be enabled on the PBX NIC, but no one seems to know the root password so we can check. We are currently waiting on a call back from Mitel direct.
-
Easy answer... when you don't want to be sneaky
-
I would think you need port mirroring enabled if you want to receive logging from multiple sources to all be redirected to a logging server.
I do agree that anything intended for that MAC address can be "logged" without promiscuous mode.
As for the extra traffic I disagree, the packet is being dropped because it's not for the target device. The bandwidth is still being used.
-
@Dashrender said:
only if you are trying to monitor everything on a network connection - and that it requires the use of port mirroring on the switch to be of any use.
If you ARP spoof you don't need that.
-
@johnhooks said:
@Dashrender said:
only if you are trying to monitor everything on a network connection - and that it requires the use of port mirroring on the switch to be of any use.
If you ARP spoof you don't need that.
Is this a practical troubleshooting process? Spoofing MACs?
-
@Dashrender said:
@johnhooks said:
@Dashrender said:
only if you are trying to monitor everything on a network connection - and that it requires the use of port mirroring on the switch to be of any use.
If you ARP spoof you don't need that.
Is this a practical troubleshooting process? Spoofing MACs?
Oh no, not practical for troubleshooting. I was just pointing out it can be done without needing access to the switch. I wasn't trying to correct you, just pointing it out for anyone else reading through.
