Linux Promiscuity.

[Scott A. McIntyre]

Hi,

I've recently encountered something odd in my working with argus and I'm
not terribly sure how to resolve it -- I suspect that there may be some
wisdom on the list so if anyone has any ideas, I'd appreciate hearing
them.

The symptom is best thought of in the BSD analogy of running out of BPF
pseudo-devices.  Whilst Linux doesn't directly have such devices, I
sense that somewhere in the 2.4 kernel code is a similar structure,
complete with a default number of potential instances.

The manifestation has been largely when I have half a dozen or so argus
sessions going, maybe a few other promiscuous mode applications running,
and suddenly they go silent.  Nothing other than arp packets appear.

Initially, my finger of blame pointed to the Cisco switches and SPAN;
that something temporarily broke within it.  However, if I killed off
one or two of my argus or other similar applications, things returned to
normal.

It's been difficult to reproduce this reliably with a fixed number of
applications running such that I could say "six is the magic number",
but perhaps these sketchy descriptions will be enough to trigger
someone's knowledge.

Any clues?  Thanks!

Scott