What promiscuous mode does on modern networks

May 28, 2008

Recently, I have wound up wondering if using or not using tcpdump's -p switch made any difference on modern hardware and modern switched networks (partly because not using it causes your kernel to generate a message every time you start and stop tcpdump, and I can live without that). The somewhat unfortunate answer is that yes, it still makes a difference.

First, promiscuous mode is still at least partly a low level hardware thing in your network card, not just a software switch inside the networking stack. (The exception is that I believe that some hardware has limited support for multicast, so effectively turns on full promiscuous mode any time you do enough multicast stuff.)

Second, even on normal ports on modern switched networks you can still see traffic that requires promiscuous mode to receive, ie traffic that is neither broadcast nor directed to your machine specifically. Often this is a sign that something weird is going on, which makes it just the sort of thing that you most want to see.

(And of course if you are tapping the network deliberately, for example on a mirror port on a switch, you are sure to receive such traffic.)

I'll still use -p most of the time (and I wish it was the default), because most of the time that I use tcpdump I'm only interested in traffic that is supposed to be flowing through the machine in the first place.

(The kernel itself will pass to tcpdump all packets that it receives from the network card, so if you have a bridged virtual machine and use tcpdump -p on the host machine you will still see traffic to and from the bridged machine.)

Comments on this page:

From at 2008-05-28 09:36:05:

Liberal use of the filters will help pare down extraneous data.

I can't tell you how many times I've ssh'd into a machine, run tcpdumo to examine network data, and been immediately flooded because "duh, I'm ssh'd in". "not host" is a very useful statement ;-)

Matt Simmons

Written on 28 May 2008.
« Shimming modules for testing (and fun)
Why web spiders should not crawl syndication feeds »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed May 28 00:32:05 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.