Q-22: When I use one of the WinPcap-based applications, why do I see only packets to or from my machine, or why do I not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?
A: This might be because the interface on which you're capturing is plugged into a switch; on a switched network, unicast traffic between two ports will not necessarily appear on other ports - only broadcast and multicast traffic will be sent to all ports.
Note that even if your machine is plugged into a hub, the "hub" may be a switched hub, in which case you're still on a switched network.
Note also that on the Linksys Web site, they say that their auto-sensing hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only", which would indicate that if you sniff on a 10Mb port, you will not see traffic coming sent to a 100Mb port, and vice versa. This problem has also been reported for Netgear dual-speed hubs, and may exist for other "auto-sensing" or "dual-speed" hubs.
Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your analyzer into that single port to sniff all traffic. You would have to check the documentation for the switch to see if this is possible and, if so, to see how to do this. See, for example:
this documentation from Cisco on the Switched Port Analyzer (SPAN) feature on Catalyst switches;
documentation from HP on how to set `monitoring'/`mirroring' on ports on the console for HP Advancestack Switch 208 and 224;
the `Network Monitoring Port Features' section of chapter 6 of documentation from HP for HP ProCurve Switches 1600M, 2424M, 4000M, and 8000M;
the `Switch Port-Mirroring' section of chapter 6 of documentation from Extreme Networks for their Summit 200 switches;
the documentation on `Configuring Port Mirroring and Monitoring' in Foundry Networks' documentation for their FastIron Edge Switches;
the documentation on `Configuring Port Mirroring and Monitoring' in Foundry Networks' documentation for their BigIron MG8 Layer 3 Switches;
the `Port Monitor' subsection of the `Status Monitor and Statistics' section of the documentation from Foundry Networks for their EdgeIron 4802F and 10GC2F switches;
the `Configuring Port Mirroring' section of chapter 3 of the documentation from Foundry Networks for their EdgeIron 24G, 2402CF, and 4802CF switches;
the documentation on `Configuring Port Mirroring and Monitoring' in Foundry Networks' documentation for their other switches and metro routers.
Note also that many firewall/NAT boxes have a switch built into them; this includes many of the "cable/DSL router" boxes. If you have a box of that sort, that has a switch with some number of Ethernet ports into which you plug machines on your network, and another Ethernet port used to connect to a cable or DSL modem, you can, at least, sniff traffic between the machines on your network and the Internet by plugging the Ethernet port on the router going to the modem, the Ethernet port on the modem, and the machine on which you're running tcpdump into a hub (make sure it's not a switching hub, and that, if it's a dual-speed hub, all three of those ports are running at the same speed.
If your machine is not plugged into a switched network or a dual-speed hub, or it is plugged into a switched network but the port is set up to have all traffic replicated to it, the problem might be that the network interface on which you're capturing doesn't support "promiscuous" mode, or because your OS can't put the interface into promiscuous mode. Normally, network interfaces supply to the host only:
packets sent to one of that host's link-layer addresses;
broadcast packets;
multicast packets sent to a multicast address that the host has configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see. Tcpdump will try to put the interface on which it's capturing into promiscuous mode unless the -p option was specified. However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode.
If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast packets, and multicast packets sent to a multicast MAC address the interface is set up to receive.
本内容试读结束,登录后可阅读更多
下载后可阅读完整内容,剩余1页未读,立即下载
