Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

tcpdump can't work in promiscuous mode ?

74 views
Skip to first unread message

doriya

unread,
Jun 28, 2001, 4:08:00 AM6/28/01
to
Hello
I don't know why tcpdump doesn't work in promiscuous mode.

Obviously,
tcpdump manual says it can catch all packets in Ethernet LAN
because it set up promiscuous mode.

I tested it in Solaris and Linux system.
I installed tcpdump and libpcap in SUN SPARC Solaris 7.
As you know, Redhat Linux(Kernel 2.2.16) has already tcpdump.

Both of that, tcpdump could catch just packets for itself to send or
receive, respectively.
So to speak,
tcpdump could catch any packets in related to itself,
but couldn't catch packets between other two systems.

For example,
I executed tcpdump in SUN system(named 'lark')
I have also 'oriole' and 'parrot'(they are other UNIX or Linux system)
They are connected in the same subnet by Ethernet.

lark # tcpdump 'ip host oriole'

In this case, I could catch IP packets from lark to oriole or vice versa.
But, I never catched any packets from oriole to parrot or vice versa.

lark oriole
parrot
|<------------------------->|
| |<-------------------->|
tcpdump catched Not catched

According to the manual of tcpdump,
it's possible to catch all packets through the same LAN in promiscuous mode.
But, it never happened.

Did I miss any setting ?
Otherwise, in solaris and Linux,
Can't I enter into promiscuous mode even though I am root ?

I need your help.
Thanks.


Casper H.S. Dik - Network Security Engineer

unread,
Jun 28, 2001, 4:43:57 AM6/28/01
to
[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

"doriya" <dor...@netsgo.com> writes:

>I don't know why tcpdump doesn't work in promiscuous mode.

>Obviously,
>tcpdump manual says it can catch all packets in Ethernet LAN
>because it set up promiscuous mode.

Is there no caveat about switched networks?

These days, many LANs are switched (all packets travel from
the switch only out to the ports where the destination is connected
too) and it's no longer possible to see all packets.

(Even my home "LAN" is switched)

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Frédéric HEULIN

unread,
Jul 11, 2001, 5:28:17 AM7/11/01
to
"doriya" <dor...@netsgo.com> wrote in message news:<QjHrlg6$AHA...@news2.sys.netsgo.com>...

> Hello
> I don't know why tcpdump doesn't work in promiscuous mode.
>
> Obviously,
> tcpdump manual says it can catch all packets in Ethernet LAN
> because it set up promiscuous mode.
>
> For example,
> I executed tcpdump in SUN system(named 'lark')
> I have also 'oriole' and 'parrot'(they are other UNIX or Linux system)
> They are connected in the same subnet by Ethernet.
>
> lark # tcpdump 'ip host oriole'
>
> In this case, I could catch IP packets from lark to oriole or vice versa.
> But, I never catched any packets from oriole to parrot or vice versa.
>
> lark oriole
> parrot
> |<------------------------->|
> | |<-------------------->|
> tcpdump catched Not catched
>
> According to the manual of tcpdump,
> it's possible to catch all packets through the same LAN in promiscuous mode.
> But, it never happened.
>
> Did I miss any setting ?

some old ethernet card does not support promiscuous mode maybe it's
your case ...

> Otherwise, in solaris and Linux,
> Can't I enter into promiscuous mode even though I am root ?

yes of course (under windows you must be root (admin) to run
libpcap-tcpdump-ethereal equivalent, winpcap-windump-ethereal )

Wojtek Zlobicki

unread,
Jul 11, 2001, 8:38:20 AM7/11/01
to
I don't see what type of network you are on here. Are you on a switched
network ? Do you have the port that TCPDUMP is sitting on
listening/monitoring/sniffing. I have no problem with TCPDUMP listening
promiscuously.


"Frédéric HEULIN" <fred...@yahoo.fr> wrote in message
news:9a5976e2.0107...@posting.google.com...

0 new messages