i am new to tcpdump when i used tcpdump -i cloudbr0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on cloudbr0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:20:42.844355 IP 112.X.X.13 > 115.X.X.62: ICMP echo request, id 512, seq 25623, length 8 i believe this means 112.X.X.13 is making ICMP request to 115.X.X.62 But none of the above ip belongs to me nor to my virtual machines.Then why is it showing in my interface. If i have enabled promiscuous mode then does that mean,all the packets going through that switch will reach my interface. asked 03 Apr '13, 23:29  krrypto |
3 Answers:
Do the IP's belong to other systems in the network where your machines are located? If so, then these packets are most likely flooded by the switch. A switch will forward a packet to all ports in the same vlan if the destination mac-address of the packet is unknown to the switch. This can be caused by:
answered 05 Apr '13, 00:31  SYN-bit ♦♦ |
Promiscuous mode means all packets passing by the network interface will be captured, it doesn't affect the switch that the NIC is connected to. answered 04 Apr '13, 01:27  grahamb ♦ |
cloudbr0 sounds like a bridge interface on Linux. If your sniffer system runs in bridge mode, that might be the reason why you see traffic of other systems. Without a detailed description of your setup, it is hard to tell what is going on. So, can you please add some information about that cloudbr0 interface and how the systems are connected to the switch and if the switch is a real switch and not just a switching hub. BTW: Your switch may run in fail open mode due to may errors on a port. In fail open mode, it will basically work like a hub and you will see all traffic. Please check the switch logs. Regards answered 05 Apr '13, 01:53  Kurt Knochner ♦ edited 05 Apr '13, 01:53 |
can u tell me how can a packet which is not intended for my machine enters my interface.