This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark promiscuous mode

0

I am still seeing packets when i set this capture filter

!ether host ab:cd:ef:gh:ij:kl (packets not destined to my mac) and promiscuous mode disabled on the interface.

The protocols captured were IGMPV2 and SSDP. Would like to know the reason.Thanks

asked 10 Apr '13, 20:28

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

One Answer:

2

You are seeing this traffic because it's multicast traffic. IP multicast traffic has its own destination MAC addresses, generally beginning with 01:00:5E, and they different from your NIC's MAC address. However, your NIC listens to the multicast MAC addresses, at least for any multicast group that the computer has joined.

When your NIC is not in promiscuous mode, it listens to:

  • It's own MAC address
  • The ethernet broadcast address (ff:ff:ff:ff:ff:ff)
  • Multicast MAC addresses

Your capture is only filtering out the first one of these.

answered 10 Apr '13, 21:29

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thanks Jim.If possible can you list out the packet types when the nic is in promiscuous mode.

(10 Apr '13, 21:41) krishnayeddula

When a NIC is in promiscuous mode, it passes all traffic that it sees up to the OS.

(11 Apr '13, 08:36) Jim Aragon

When a NIC is in promiscuous mode, it passes all traffic that it sees up to the OS.

...regardless of the destination MAC address. It won't, obviously, pass up traffic it doesn't see, so, for example, it's not, by default, as useful as you'd like on a switched network.

(11 Apr '13, 18:32) Guy Harris ♦♦