I had the same problem, and a strange resolution. I was using RH Linux with promiscuous mode tools including snort, tcpdump, and iptraf, and all of those tools would only see broadcasts and traffic to/from the localhost. It ended up that the NIC being used to monitor the segment was negotiating 10MB half-duplex and all of the other hosts on the hub were running 100MB full-duplex. Once I got the monitor interface running at 100, all of the traffic flowing across the wire became visible.
I don't quite understand why this would happen, and if anyone has an explanation please share with us. Damon -----Original Message----- From: Smith, Chris [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 12:14 PM To: 'Siddharta Govindaraj' Cc: '[EMAIL PROTECTED]' Subject: RE: sniffer in promiscuous mode Are you in a switched environment? If so you will need to span ports (copy traffic from one port to another) so the port with the sniffer gets copies of the frames and can read the traffic. Normally switches utilize "microsegmentation" - only copying frames to the port owning the destination MAC address(es). You will see ARP and other broadcast traffic as broadcasts (mac = FF:FF:FF:FF:FF:FF) are copied to each port. -----Original Message----- From: Siddharta Govindaraj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 8:04 AM To: [EMAIL PROTECTED] Subject: sniffer in promiscuous mode Hi, I have a funny problem with the ethereal packet sniffer. It correctly captures all packets entering or leaving my interface, but in promiscuous mode, it only seems to capture ARP, NETBIOS, IPX, RIP and such protocols, and never seems to get any UDP or TCP packets ! I have tried other sniffers, and they all exhibit the same behaviour, so I dont think its a sniffer problem. Is there something else I have to do to capture TCP packets ? Or could it be something to do with Wincap ? Thanks Siddharta
