Menu
What's new
By:
Filters Better Search

Help Reading Syslogs - Possible Hack - Logs Showing Ports Entering Promiscuous Mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zwitterion

zwitterion

Occasional Visitor
This would be the second time my router (info found below on signature) completely stopped receiving both wireless and wired connections. When looking at the syslog I found ethernet ports being set to Promiscuous Mode and Entered Listening State. When searching online I found "promiscuous mode means a packet sniffer instructed your ethernet device to listen to all traffic. This can be a benign or a malicious act." If this is a bug issue, then I can post this elsewhere as well to help with resolving the matter.
 
Promiscuous mode is what happens when you engage tap/monitoring of the port/packet. I use ntopng and that's how you get the info. Are you using a package in the router for this purpose?
 
Tech Junky said:
Promiscuous mode is what happens when you engage tap/monitoring of the port/packet. I use ntopng and that's how you get the info. Are you using a package in the router for this purpose?
Click to expand...
I don't think so, I just have Diversion, Skynet, and scribe installed. I used to have Kiwi Syslog but that was setup before I moved to Merlin and the configs may have been transferred in the dirty firmware upgrade. I no longer use Kiwi syslog since I have Scribe installed
 
I glanced at the attachment after replying and it looks like an 8 minute boot log. Looks like normal stuff with interfaces coming online. Maybe a hard reset and manual reconfiguration bis needed. It didn't show any obvious app being triggered. Maybe it did a soft reboot to trigger things due to an error?
 
Tech Junky said:
I glanced at the attachment after replying and it looks like an 8 minute boot log. Looks like normal stuff with interfaces coming online. Maybe a hard reset and manual reconfiguration bis needed. It didn't show any obvious app being triggered. Maybe it did a soft reboot to trigger things due to an error?
Click to expand...
Possibly, not sure what causes soft reboots. I am getting regular patterns of these syslogs:

Mar 30 21:12:22 GT-AXE11000-7220 kernel: FPM Pool 1: invalid token 0x205f0000 freed
Mar 30 21:12:22 GT-AXE11000-7220 kernel: FPM Pool 1: ISR timer is enabled. There could be multiple occurrences of the reported issue
Mar 30 22:09:46 GT-AXE11000-7220 kernel: httpds (2617): drop_caches: 1
and one of these:
Mar 30 22:19:44 GT-AXE11000-7220 kernel: htb: too many events!

if it becomes a bigger problem I can wipe everything and install clean firmware
 
Httpds is the web server package for reporting something from an app. I also run pihole for monitoring dns traffic and it's bundled into that for the web GUI. There might be a conflict from the dirty upgrade between the two programs. A surefire way to figure it out would be a netstat to see what's listening / serving web stats from an ssh session.
 
You must log in or register to reply here.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 723 (members: 14, guests: 709)
Top