Well of course - ntop puts the interface into promiscuous mode... it has to. But it doesn't do anything beyond that - if a switch is sending you bogus traffic, that's a problem with the switch (probably overflowed it's MAC address tables - either that or it's seen the same address on multiple ports - stuff like that causes a switch to operate as a hub so it doesn't lose traffic - it's your problem on the device end to throw away junk).
Remember how interfaces work: In non-promiscuous mode, the hardware interface knows its address and only grabs packets addressed to it (plus broadcasts). In promiscuous mode, it grabs all packets. Any selection is done by the tcp/ip stack, so that libpcap and other low level interfaces can see all packets (Ethernet frames) regardless of addressee. However, this should be invisible to normal processes, which open a specific port (remember - Unix's everything is a file mantra), either connected to a specific interface (address) or 0.0.0.0 meaning all. So if you create the socket connections for, say, 0.0.0.0 port 53, you will see all DNS packets. And this is regardless of whether the interface is in promiscuous mode. How a device driver handles multiple IP addresses is hardware dependent - some hardware can support this - up to maybe 4 or 8. Other hardware only implements a single TCP/IP address and so if you assign aliases, it puts the card into promiscuous mode and handles the addressing issues in the driver and/or just ignores things and lets the tcp/ip stack handle it. Go read the driver code... :-; Also, this is one case where you will want to buy and use decent NICs ... -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Porter Sent: Tuesday, June 07, 2005 6:02 PM To: ntop users Subject: [Ntop] Traffic not addressed to me I'm using ntop to see traffic going in and out of my box. It's not a router. Yet I'm seeing a lot of traffic not addressed to my host. AFAIK my provider has me connected by a switch. Does ntop do anything "interesting" to make a switch port promiscuous so that I'd see that traffic, or am I seeing a problem with the switch? Here's what tcpdump shows (my address is 66.28.14.59 on a /28): [EMAIL PROTECTED] root]# tcpdump 'ip and not net 66.28.14.48 and not host 66.28.14.59' -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 15:35:32.089565 IP 64.12.117.9.49634 > 38.113.32.72.http: F 3814351394:3814351394(0) ack 3981589166 win 6432 15:35:32.243815 IP 66.42.50.123.prsvp > 38.113.32.72.http: . ack 3969251638 win 5840 15:35:32.308265 IP 83.93.104.200.2404 > 38.113.32.72.http: . ack 3993733870 win 64240 15:35:32.336584 IP 83.93.104.200.2404 > 38.113.32.72.http: P 0:736(736) ack 1 win 64240 15:35:32.339730 IP 83.93.104.200.2403 > 38.113.32.72.http: . ack 3979686177 win 63956 15:35:32.342969 IP 83.93.104.200.2403 > 38.113.32.72.http: F 0:0(0) ack 1 win 63956 _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
