Promiscuous
Promiscuous mode allows a network interface to capture all packets on the wire, not just those addressed to its MAC address. This is essential for certain VoIPmonitor deployment scenarios.
When is Promiscuous Mode Required?
| Traffic Mirroring Method | Promiscuous Mode Required? | Reason |
|---|---|---|
| SPAN / Port Mirroring | YES | Mirrored packets retain original MAC addresses |
| RSPAN | YES | Same as SPAN but across VLANs |
| Network TAP | YES | TAP copies raw Layer 2 frames |
| ERSPAN | No | Traffic encapsulated in GRE, addressed to sensor IP |
| GRE Tunnel | No | Tunnel packets addressed to sensor IP |
| TZSP | No | UDP encapsulation to sensor IP |
| VXLAN | No | UDP encapsulation to sensor IP |
| On-host capture | No | Sensor runs on PBX, sees own traffic natively |
ℹ️ Note: For Layer 3 tunneling methods (ERSPAN, GRE, TZSP, VXLAN), the encapsulated traffic is addressed directly to the sensor's IP. The OS receives these packets normally and VoIPmonitor decapsulates them automatically.
Checking Current Status
# Check if promiscuous mode is enabled
ip link show eth0 | grep -i promisc
# Alternative: look for PROMISC flag in output
ip link show eth0
# Output includes: ... UP,BROADCAST,RUNNING,PROMISC ...
Enabling Promiscuous Mode
Temporary (Until Reboot)
# Enable
ip link set dev eth0 promisc on
# Disable
ip link set dev eth0 promisc off
Persistent Configuration
The sensor's install-script.sh attempts to configure this automatically, but may fail on some systems. Manual configuration options:
Method 1: Netplan (Ubuntu 18.04+)
Edit /etc/netplan/01-netcfg.yaml:
network:
ethernets:
eth0:
# ... existing config ...
# Add post-up script
version: 2
Then create /etc/networkd-dispatcher/routable.d/50-promisc:
#!/bin/bash
ip link set dev eth0 promisc on
chmod +x /etc/networkd-dispatcher/routable.d/50-promisc
Method 2: systemd service
Create /etc/systemd/system/promisc.service:
[Unit]
Description=Enable promiscuous mode on eth0
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev eth0 promisc on
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable --now promisc.service
Method 3: rc.local (Legacy)
Add to /etc/rc.local before exit 0:
/sbin/ip link set dev eth0 promisc on
Verification
After enabling, verify traffic is visible:
# Quick test with tcpdump
sudo tcpdump -i eth0 -c 10 "port 5060"
# More detailed with tshark
tshark -i eth0 -Y "sip || rtp" -n -c 20
If you see SIP/RTP packets, promiscuous mode is working correctly.
Troubleshooting
| Problem | Solution |
|---|---|
PROMISC flag not showing after enable |
Check if interface exists: ip link show. Verify interface name matches config.
|
| Traffic visible in tcpdump but not in VoIPmonitor | Check interface directive in /etc/voipmonitor.conf matches. See Sniffer_troubleshooting.
|
| Promiscuous mode resets after reboot | Use persistent configuration method above. |
| "Permission denied" when enabling | Run command as root or with sudo.
|
| No traffic even with promisc enabled | Verify SPAN/mirror configuration on switch. See Sniffer_troubleshooting. |
⚠️ Warning: Security: Promiscuous mode exposes the interface to all network traffic. Only enable on dedicated monitoring interfaces, not on production servers exposed to untrusted networks.
See Also
- Sniffer_troubleshooting - Complete troubleshooting guide for capture issues
- Sniffing_modes - Deployment topology guide (SPAN, ERSPAN, tunneling)
- Sniffer_configuration - Full configuration reference
AI Summary for RAG
Summary: Promiscuous mode allows a network interface to capture all packets regardless of destination MAC address. It is REQUIRED for Layer 2 mirroring methods (SPAN, RSPAN, hardware TAP) because mirrored packets retain their original MAC addresses. It is NOT required for Layer 3 tunneling methods (ERSPAN, GRE, TZSP, VXLAN) because these encapsulate traffic in packets addressed directly to the sensor's IP. Enable with ip link set dev eth0 promisc on. For persistence, use systemd service, netplan dispatcher, or rc.local. Verify with ip link show eth0 looking for PROMISC flag.
Keywords: promiscuous mode, promisc, SPAN, RSPAN, port mirroring, network TAP, packet capture, ip link, interface configuration, ERSPAN, GRE, TZSP, VXLAN, Layer 2, Layer 3, MAC address, persistent configuration, systemd, netplan
Key Questions:
- Do I need promiscuous mode for VoIPmonitor?
- How do I enable promiscuous mode on Linux?
- Does ERSPAN require promiscuous mode?
- How do I make promiscuous mode persistent after reboot?
- How do I check if promiscuous mode is enabled?
- Why is VoIPmonitor not seeing SPAN traffic?
- What is the difference between SPAN and ERSPAN for promiscuous mode?