(Mail to "[EMAIL PROTECTED]" now gets forwarded to
"[EMAIL PROTECTED]", as tcpdump/libpcap development is now
being done by the Tcpdump Group, whose Web page is at
http://www.tcpdump.org/
.)
On Thu, Jul 12, 2001 at 12:30:51PM +0200, Florian Lorenzen wrote:
> My question is whether it's possible to overhear the transport between
> two other hosts on the net, e. g.
>
> $ tcpdump host x and y
Here's an item from the Ethereal FAQ:
http://www.ethereal.com/faq.html#q3.6
There should perhaps be a similar item in the tcpdump FAQ.
The item says:
Q 3.6: I can't see any TCP packets other than packets to and
from my machine, even though another sniffer on the network sees
those packets.
A: This might be because the network interface on which you're
capturing doesn't support "promiscuous" mode, or because your OS
can't put the interface into promiscuous mode. Normally,
network interfaces supply to the host only:
o packets sent to one of that host's link-layer addresses;
o broadcast packets;
o multicast packets sent to a multicast address that the
host has configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode,
in which they supply to the host all network packets they see.
However, some network interfaces don't support promiscuous mode,
and some OSes might not allow interfaces to be put into
promiscuous mode.
If the interface is not running in promiscuous mode, it won't
see any traffic that isn't intended to be seen by your machine.
It will see broadcast and perhaps some multicast packets; TCP
doesn't use broadcast or multicast, so you will only see your
own TCP traffic, but UDP services may use broadcast or multicast
so you'll see some UDP traffic - however, this is not a problem
with TCP traffic, it's a problem with unicast traffic, as you
also won't see all UDP traffic between other machines.
This might also be because the interface on which you're
capturing is plugged into a switch; on a switched network,
unicast traffic between two ports will not necessarily appear on
other ports. Some switches have the ability to replicate all
traffic on all ports to a single port so that you can plug your
sniffer into that single port to sniff all traffic.
(Note that some "hubs" are actually switches - "switching hubs" - so
don't assume that just because the device into which your machine is
plugged is called a "hub" that your machine isn't on a switched network;
it might be.)
For tcpdump, there's another possibility - some versions of tcpdump do
not, by default, run in promiscuous mode; the "-p" flag, rather than
turning promiscuous mode off, turns it on. Unfortunately, the tcpdump
man page for that version of tcpdump doesn't always reflect that change.
The versions I know of that invert the meaning of "-p" are for Linux,
and *some* Linux distributions, such as, I think, Red Hat 6.1 and later,
and SuSE 6.3 and later (and possibly some other distributions - Mandrake
might follow Red Hat here - and other versions of the distributions
mentioned, might do the same).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
