Wandering Thoughts archives


What promiscuous mode does on modern networks

Recently, I have wound up wondering if using or not using tcpdump's -p switch made any difference on modern hardware and modern switched networks (partly because not using it causes your kernel to generate a message every time you start and stop tcpdump, and I can live without that). The somewhat unfortunate answer is that yes, it still makes a difference.

First, promiscuous mode is still at least partly a low level hardware thing in your network card, not just a software switch inside the networking stack. (The exception is that I believe that some hardware has limited support for multicast, so effectively turns on full promiscuous mode any time you do enough multicast stuff.)

Second, even on normal ports on modern switched networks you can still see traffic that requires promiscuous mode to receive, ie traffic that is neither broadcast nor directed to your machine specifically. Often this is a sign that something weird is going on, which makes it just the sort of thing that you most want to see.

(And of course if you are tapping the network deliberately, for example on a mirror port on a switch, you are sure to receive such traffic.)

I'll still use -p most of the time (and I wish it was the default), because most of the time that I use tcpdump I'm only interested in traffic that is supposed to be flowing through the machine in the first place.

(The kernel itself will pass to tcpdump all packets that it receives from the network card, so if you have a bridged virtual machine and use tcpdump -p on the host machine you will still see traffic to and from the bridged machine.)

linux/PromiscuousModeEffects written at 00:32:05; Add Comment

By day for May 2008: 1 2 3 4 5 6 7 8 9 11 12 13 15 17 18 19 20 21 23 24 25 26 28 29 30 31; before May; after May.

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.