== What promiscuous mode does on modern networks

Recently, I have wound up wondering if using or not using _tcpdump_'s
_-p_ switch made any difference on modern hardware and modern switched
networks (partly because not using it causes your kernel to generate a
message every time you start and stop _tcpdump_, and I can live without
that). The somewhat unfortunate answer is that yes, it still makes a
difference.

First, promiscuous mode is still at least partly a low level hardware
thing in your network card, not just a software switch inside the
networking stack. (The exception is that I believe that some hardware
has limited support for multicast, so effectively turns on full
promiscuous mode any time you do enough multicast stuff.)

Second, even on normal ports on modern switched networks you can still
see traffic that requires promiscuous mode to receive, ie traffic that
is neither broadcast nor directed to your machine specifically. Often
this is a sign that [[something weird ../sysadmin/NetworkWeirdness]] is
going on, which makes it just the sort of thing that you most want to
see.

(And of course if you are tapping the network deliberately, for example
on a mirror port on a switch, you are sure to receive such traffic.)

I'll still use _-p_ most of the time (and I wish it was the default),
because most of the time that I use _tcpdump_ I'm only interested in
traffic that is supposed to be flowing through the machine in the first
place.

(The kernel itself will pass to _tcpdump_ all packets that it receives
from the network card, so if you have a bridged virtual machine and use
_tcpdump -p_ on the host machine you will still see traffic to and from
the bridged machine.)