@(#)README for ifstatus v1.3 06 JAN 2001 Rob Thomas robt@cymru.com

The ifstatus tool was originally authored by Dave Curry.  Version 1.3
introduces support for the Solaris 8 hme and qfe devices.


Introduction

Version 1.3 of ifstatus is designed to detect Solaris 8 hme and qfe
interfaces that have been placed in promiscuous mode.  As with previous
versions, version 1.3 can be run from cron to keep a close watch on the
attached interfaces.  This version will also detect sniffers attached
to unplumb'd interfaces.  This trick was detailed in a previous article
I authored, which can be perused at the following URL:

http://www.cymru.com/~robt/Docs/Howto/Sun/sniffer-trick.txt


The Gory Details

The ifstatus tool, versions 1.1 and 1.2, was originally written by David
Curry.  The tool is designed to detect an interface that has been placed
in promiscuous mode.  This worked well with Solaris versions up to and
including 2.6.  However, with the release of Solaris 7, the tool no
longer worked.  The reasons for this were unclear, and most of the cries
for help were along the lines of "Sun broke ifconfig!"  This is incorrect.

The Solaris 7 and 8 kernels use a different method for network driver
access, e.g. access to a given hme card.  While struct hme continues to
exist, each access of /dev/hme actually creates a unique stream, or a
struct hmestr.  Thus, if a given stream attached to the hme driver is
placed in promiscuous mode, only the struct hmestr reflects this fact
by setting HMESALLPHYS in hmestr.sb_flags.  Fortunately in the case of
the hme driver, a counter in struct hme (hme.promisc_ctr) is updated
when any attached stream is placed into promiscuous mode.  This is not
the case with other drivers, such as the le driver.  Thus, it is not
possible to determine if a le interface is in promiscuous mode from
struct le.  To determine if a given stream attached to the le driver is
in promiscuous mode, each attached stream must be checked for SLALLPHYS
in lestr.sl_flags.

When a putmsg() places an hme interface into promiscuous mode, it may
actually make a request for two flags to be set.  The flags are set in
the hmeponreq() function in hme.c, and are:

	HMESALLPHYS - physical interface promiscuous mode
	HMESALLSAP - set if HMESALLPHYS is not set
	HMESALLMULTI - physical interface multicast promiscuous mode

Thus, the value of hme.promisc_ctr may increase by two (HMESALLPHYS or
HMESALLSAP and HMESALLMULTI) when the interface is placed in promiscuous
mode.  The snoop(1M) will set both HMESALLPHYS and HMESALLMULTI, for
example, and thus increment hme.promisc_ctr by two.

When the attached stream leaves promiscuous mode, hme.promisc_ctr is
decremented by two.  The increment and decrement of hme.promisc_ctr is
done within the hme driver proper.  However, if there is no attached
stream, then the counter is never decremented.  This is because the
driver only decrements hme.promisc_ctr when A) The attached stream
(struct hmestr) reports that it is no longer in promiscuous mode, or
B) The attached stream is detached.  Thus, if an unplumb'd hme interface
is placed into and out of promiscuous mode several times, the counter
will only increase.  For this reason it is impossible to state with
certainty that an unconfigured (read: unplumb'd or detached) hme
interface is presently in promiscuous mode.  Only a count of the number
of times an unattached hme interface was placed in promiscuous mode can
be derived.  Of course, any number larger than 0 indicates that the
device was placed in promiscuous mode at least once, and lsof can be
used to determine if the unattached interface is still being used by
some process.


Changes in ifstatus Version 1.3

The fundamental operation and internals of the ifstatus tool have not
changed significantly.  The only changes in version 1.3 are in support
of qfe and hme drivers in Solaris 8, plus the addition of a bit more
output when the verbose (-v) flag is set.  Everything else remains the
same.


Building ifstatus Version 1.3

To build ifstatus v1.3 for Solaris 8, edit the Makefile and change the
value of OSNAME to SUNOS58.  Type "make" and enjoy!  By default, the
Makefile already has OSNAME set to SUNOS58.  If you are building ifstatus
v1.3 for another platform, select the appropriate OSNAME as noted in the
Makefile.

Unfortunately, due to the STREAMS abstractions in Solaris 7 and the
format of struct hme and struct le, ifstatus will not detect promiscuous
mode interfaces in Solaris 7.  The same is true of le interfaces in
Solaris 8.


Conclusion, Credits, and Blame Where Blame is Due

Dave Curry wrote the bulk of the code (thanks, Dave!), and I give him
full credit for the idea and work.  I accept full responsibility for
any mistakes I have introduced in version 1.3.  :-)  I wish to thank
Neil Long for the suggestion to make ifstatus work with Solaris 8 and
for his assistance in testing version 1.3.  I wish to thank Michael
Hill for testing as well as Makefile and installation suggestions.

Please punt any questions or concerns with version 1.3 of ifstatus to me
directly at robt@cymru.com.

Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
cmn_err(CE_PANIC, "Out of coffee...");

