Home > Uncategorized > Quick Primer: kernel flags

Quick Primer: kernel flags

Reviewing set kernel flags will allow you to easily determine many settings that are in use at run time for devices in /sys/class.

For instance, to determine if a network interface is in promiscuous mode:

Find the flag that sets promiscuous mode:

cat /usr/src/kernels/$(uname -r)/include/linux/if.h | grep -i promisc

Then take a look at the flag of the interface (network device):

cat /sys/class/net/eth0/flags

If the flag is set to 0x1103 then it is in promiscuous mode.
To find out what the 0x003 value means, review /usr/src/kernels/$(uname -r)/include/linux/if.h:

cat /usr/src/kernels/$(uname -r)/include/linux/if.h | grep define | less

“But, Matt, it looks like 0x100 has two definitions?” you might think.  If you take a look at the contents of the source file, you will see that there are two scopes of these constants/flags: “Standard interface flags (netdevice->flags)” and “Private (from user) interface flags (netdevice->priv_flags).”

The author of Samhain has a very detailed article of other solutions to determine promiscuous mode, which may be able to translate over the other device kernel flags.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: