On Fri, Feb 09, 2001 at 07:38:11AM -0600, stefmit@xxxxxxxxxxxxx wrote:
> 2.Not really ethereal -> tcpdump (perhaps libcap) involved here:
> having to leave in a switched only environment, I had to place
> another machine I was supposed to "watch" on a Netgear 10/100
> hub, so that I place my ethereal box on another hub port. When
> running either ethereal (or tcpdump) I could "see" only ARP and
> UDP packets,
...which, unlike TCP packets, might conceivably be broadcast or
multicast packets.
> and the only TCP packets showing up would be if I
> would initiate TCP communication from the ethereal box to the one
> I want to capture
...which means the traffic is either coming from the host running
Ethereal or going to the host running Ethereal.
> - all other TCP traffic from/to this "captured" box
> doesn't show up. Thinking I have a problem with port speed,
> autonegotiation, the fact that the watched box had only 10 Mbps
> card, my laptop with Linux had 10/100 Mbps "autonegotiatable"
> only (those PCMCIA cards do not come with capability of fixing the
> speed any more), I changed the Netgear 10/100 with a Cabletron
> 10 Mbps only hub - and guess what? I started "seeing" all the
> traffic!!! Anybody having an explanation for this
I suspect the Netgear hub is a switching hub. As question 3.6 in the
Ethereal FAQ:
http://www.ethereal.com/faq.html#q3.6
says:
Q 3.6: I can't see any TCP packets other than packets to and
from my machine, even though another sniffer on the network sees
those packets.
A: This might be because the network interface on which you're
capturing doesn't support "promiscuous" mode, or because your OS
can't put the interface into promiscuous mode. Normally,
network interfaces supply to the host only:
o packets sent to one of that host's link-layer addresses;
o broadcast packets;
o multicast packets sent to a multicast address that the
host has configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode,
in which they supply to the host all network packets they see.
However, some network interfaces don't support promiscuous mode,
and some OSes might not allow interfaces to be put into
promiscuous mode.
If the interface is not running in promiscuous mode, it won't
see any traffic that isn't intended to be seen by your machine.
It will see broadcast and perhaps some multicast packets; TCP
doesn't use broadcast or multicast, so you will only see your
own TCP traffic, but UDP services may use broadcast or multicast
so you'll see some UDP traffic - however, this is not a problem
with TCP traffic, it's a problem with unicast traffic, as you
also won't see all UDP traffic between other machines.
This might also be because the interface on which you're
capturing is plugged into a switch; on a switched network,
unicast traffic between two ports will not necessarily appear on
other ports. Some switches have the ability to replicate all
traffic on all ports to a single port so that you can plug your
sniffer into that single port to sniff all traffic.
As changing the network hub made the problem go away, it's presumably
not a case of the interface, or its driver, not supporting promiscuous
mode, so it's probably that the Netgear hub was switched and wasn't
sending traffic to the switch port for the machine running Ethereal
unless either
1) it was sent to the MAC address of that host
or
2) it was broadcast or multicast traffic.
