how much load promiscuous mode add to the server

Question

How much load does promiscuous mode add to the server, when enabled on the main network public interface.

I had to create a bridge and while inspecting the traffic using something like:

tcpdump -n -e -ttt -i pflog0 inbound 

I notice all requests of my "neighbors/servers" for example like all the attempts to ssh on port 22 etc.

By enabling promisc mode does the NIC card delegates all the packages to the server, therefore, more CPU needs to be used to do the filtering etc?

Making an analogy could it be said that promiscuous mode puts the network card in bridge mode/bypass so that the network card capabilities are unused?

Answer 1

Whats happening in promiscuous mode is that the NIC passes all traffic it receives down to the OS network stack. Normally, only broadcasts and packets with a matching destination MAC address are handled and everything else is silently ignored.

In a switched network, this mostly doesn't make a difference as the switch doesn't even send non-matching packets to a port, but in wireless networks and very old wired networks with hubs or bus cabling (e.g. 10Base2), the NIC receives all traffic and filters everything non-matching in non-promiscuous mode.

BTW, you only need to turn this on in bridge mode as otherwise the NIC would ignore all traffic for all devices behind that bridge (today, mostly vNICS for virtual machines).

So, in modern wired networks, turning on promiscuous mode doesn't make a difference as it doesn't see any traffic not intended for it anyway, but in wireless or old networks, this can make a difference. How much of a difference naturally depends on the amount of traffic and the capabilities of your hardware. It should only be a small amount though except you turn on port-mirroring in a high volume network.