If you're connected to a switch, then under normal circumstances you see only:
1. Unicast packets directed torwards your machine
2. Multicast packets for the multicast group that your machine is in
3. Broadcast packets
Some switches can be configured to replicate all traffic on all ports to a
single port. Then you plug your sniffer into that port and you see everything.
Sniffing is a lot easier with true hubs.
--gilbert
"Darren Kara" <karad@xxxxxxxx> on 08/17/2000 06:35:15 AM
Please respond to karad@xxxxxxxx
To: Gilbert Ramirez/Tivoli Systems@Tivoli Systems
cc: ethereal-users@xxxxxxxx
Subject: RE: [ethereal-users] Ethereal filters
Thanks,
I took care of the parser error. Now though when I do get a capture, all I
see is LLC trafic.
I am plugged directly into a bay 350T switch with no vlan, it's basically
acting as a hub. I have a half dozen boxes hanging off of it, as well as
two port connected to routers. I should be seeing more trafic than this. I
thought when you put you eth into promiscuous mode that it picked up all
trafic on the same segment?
I will try doing something like the following and it will generate 0 count
tcp
net x.x.x.0
net x.x.x.0 mask 255.255.255.0
tcp port 80 and host x.x.x.x
I appreciate you help, this is not an area that I have spent a lot of time
working on.
-----Original Message-----
From: Gilbert_Ramirez@xxxxxxxxxx [mailto:Gilbert_Ramirez@xxxxxxxxxx]
Sent: Wednesday, August 16, 2000 4:17 PM
To: karad@xxxxxxxx
Subject: RE: [ethereal-users] Ethereal filters
After a capture filter syntax error, you need to restart ethereal in order
to
use another capture filter. This is because of a bug in libpcap; it doesn't
reset its internal parser after a failed parse. libpcap version 0.5,
available
from tcpdump.org, fixes this bug.
--gilbert
