@(#)README for ifstatus v1.3 06 JAN 2001 Rob Thomas robt@cymru.com

The ifstatus tool was originally authored by Dave Curry.  Version 1.3
introduces support for the Solaris 8 hme and qfe devices.


Introduction

Version 1.3 of ifstatus is designed to detect Solaris 8 hme and qfe
interfaces that have been placed in promiscuous mode.  As with previous
versions, version 1.3 can be run from cron to keep a close watch on the
attached interfaces.  This version will also detect sniffers attached
to unplumb'd interfaces.  This trick was detailed in a previous article
I authored, which can be perused at the following URL:

http://www.cymru.com/~robt/Docs/Howto/Sun/sniffer-trick.txt


The Gory Details

The ifstatus tool, versions 1.1 and 1.2, was originally written by David
Curry.  The tool is designed to detect an interface that has been placed
in promiscuous mode.  This worked well with Solaris versions up to and
including 2.6.  However, with the release of Solaris 7, the tool no
longer worked.  The reasons for this were unclear, and most of the cries
for help were along the lines of "Sun broke ifconfig!"  This is incorrect.

The Solaris 7 and 8 kernels use a different method for network driver
access, e.g. access to a given hme card.  While struct hme continues to
exist, each access of /dev/hme actually creates a unique stream, or a
struct hmestr.  Thus, if a given stream attached to the hme driver is
placed in promiscuous mode, only the struct hmestr reflects this fact
by setting HMESALLPHYS in hmestr.sb_flags.  Fortunately in the case of
the hme driver, a counter in struct hme (hme.promisc_ctr) is updated
when any attached stream is placed into promiscuous mode.  This is not
the case with other drivers, such as the le driver.  Thus, it is not
possible to determine if a le interface is in promiscuous mode from
struct le.  To determine if a given stream attached to the le driver is
in promiscuous mode, each attached stream must be checked for SLALLPHYS
in lestr.sl_flags.

It is important to remember that two STREAMS are created when open() is
called on a given driver.  Thus, the value of hme.promisc_ctr goes up
two for every attached stream that enters promiscuous mode.  When the
attached stream leaves promiscuous mode, hme.promisc_ctr is decremented
by two.  The increment and decrement of hme.promisc_ctr is done within
the hme driver proper.  However, if there is no attached stream, then
the counter is never decremented.  This is because the driver only
decrements hme.promisc_ctr when A) The attached stream (struct hmestr)
reports that it is no longer in promiscuous mode, or B) The attached
stream is detached.  Thus, if an unplumb'd hme interface is placed into
and out of promiscuous mode several times, the counter will only
increase.  For this reason it is impossible to state with certainty
that an unconfigured (read: unplumb'd or detached) hme interface is
presently in promiscuous mode.  Only a count of the number of times an
unattached hme interface was placed in promiscuous mode can be derived.
Of course, any number larger than 0 indicates that the device was placed
in promiscuous mode at least once, and lsof can be used to determine if
the unattached interface is still being used by some process.


Changes in ifstatus Version 1.3

The fundamental operation and internals of the ifstatus tool have not
changed significantly.  The only changes in version 1.3 are in support
of qfe and hme drivers in Solaris 8.  Everything else remains the same.


Building ifstatus Version 1.3

To build ifstatus v1.3 for Solaris 8, edit the Makefile and change the
value of OSNAME to SUNOS58.  Type "make" and enjoy!  By default, the
Makefile already has OSNAME set to SUNOS58.  If you are building ifstatus
v1.3 for another platform, select the appropriate OSNAME as noted in the
Makefile.


Conclusion, Credits, and Blame Where Blame is Due

Dave Curry wrote the bulk of the code (thanks, Dave!), and I give him
full credit for the idea and work.  I accept full responsibility for
any mistakes I have introduced in version 1.3.  :-)  I wish to thank
Neil Long for the suggestion to make ifstatus work with Solaris 8 and
for his assistance in testing version 1.3.  I wish to thank Michael
Hill for testing as well as Makefile and installation suggestions.

Please punt any questions or concerns with version 1.3 of ifstatus to me
directly at robt@cymru.com.

Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
cmn_err(CE_PANIC, "Out of coffee...");

