While tcpdump'ing, I do a ifconfig -a, and can see the PROMISC flag, OK.
When I ^C tcpdump, PROMISC disapear, OK.
When I run 2 tcpdump processes simultaneously, if I ^c the 2nd then the
first, PROMISC disappear, OK.
But if I ^c the first before the 2nd, ifconfig will not show me the
PROMISC flag (because it is not set !?), and the 2nd tcpdump process
will work ok. More, when I ^C the 2nd tcpdump, ifconfig will show me the
PROMISC flag !
Investigating a little lead me to libpcap
(pcap-linux.c:linux_restore_ifr) which is linked to tcpdump.
What's happen here, is that when a tcpdump instance exits, it restore
the flags to their initial (ante tcpdump instance) values.
Example:
- if the first instance of tcpdump exit, then clear IFF_PROMISC
(always), because this flag was off before running the first instance of
tcpdump,
- if instance n (n > 1) exit, then set IFF_PROMISC (always), because
this flag was on before running the n>1 instance of tcpdump.
Maybe this could be solved by adding a if_pcount (like in BSD) field in
the ifreq structure, which will hold the number of promiscuous
listeners, but this will likely break some programs, to begin with
ifconfig itself (even a rebuild will do).
Just curious: What should be the implications of adding a if_pcount
field in the ifreq structure (defined in /usr/include/linux/if.h) ?
tia,
-- Meir
my kernel: 2.0.18