Revision history [back]

There's promiscuous mode and there's promiscuous mode.

Originally, the only way to enable promiscuous mode on Linux was to turn on the IFF_PROMISC flag on the interface; that flag showed up in the output of command such as ifconfig.

In the 2.2 kernel (i.e., a long time ago), a second mechanism was added; that mechanism does not set the IFF_PROMISC flag, so the interface being in promiscuous mode does not show up in the output of ifconfig, and it does not require promiscuous mode to be turned off manually - closing the last descriptor on which promiscuous mode was requested suffices.

libpcap uses the second mechanism if it's available; tcpdump and Wireshark both use libpcap to do packet capturing, so they'll use the second mechanism on any Linux system with a 2.2 or later kernel. Therefore, neither tcpdump nor Wireshark will, when capturing in promiscuous mode, cause ifconfig to show "PROMISC".

However:

• If you're capturing on an Ethernet that's on a switched network, promiscuous mode isn't sufficient to capture other machine's traffic, because that traffic probably isn't going to be sent to your switch port; see the Wireshark Wiki's page on Ethernet capture setup for more information;
• If you're capturing on Wi-Fi, promiscuous mode might not do anything at all - you'd need to capture in monitor mode, and set up Wireshark to be able to decrypt traffic if it's a "protected" network using WEP, WPA, WPA2, or WPA3. See the Wireshark Wiki's page on Wi-Fi capture setup for information on monitor mode and the Wireshark Wiki's "how to decrypt 802.11" page for information on that topic.