While tcpdump'ing, I do a ifconfig -a, and can see the PROMISC flag, OK.
When I ^C tcpdump, PROMISC disapear, OK.
When I run 2 tcpdump processes simultaneously, if I ^c the 2nd then the
first, PROMISC disappear, OK.
But if I ^c the first before the 2nd, ifconfig will not show me the
PROMISC flag (because it is not set !?), and the 2nd tcpdump process
will work ok. More, when I ^C the 2nd tcpdump, ifconfig will show me the
PROMISC flag !
I wanted to post the above but I notice that vger was down (?), so I
began to investigate by myself.
My investigations lead me to libpcap (pcap-linux.c: linux_restore_ifr)
which is linked to tcpdump.
What's happen here, is that when a tcpdump instance exits, it restore
the flags to their initial (ante tcpdump instance) values.
Example:
if the first instance of tcpdump exit, then clear IFF_PROMISC (always),
because this flag was off before running the first instance of tcpdump,
if instance n (n > 1) exit, then set IFF_PROMISC (always), because this
flag was on before running the n>1 instance of tcpdump.
Maybe this could be solved by adding a if_pcount (like in BSD) field in
the ifreq structure, which will hold the number of promiscuous
listeners, but this will likely break some programs, to begin with
ifconfig itself (even a rebuild will do).
Is one knows another mean ?
Just curious: What should be the implications of such a change ?
tia,
-- Meir
my kernel: 2.0.18