This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

monitoring icmp using tcpdump

0

i am new to tcpdump

when i used

tcpdump -i cloudbr0 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on cloudbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:20:42.844355 IP 112.X.X.13 > 115.X.X.62: ICMP echo request, id 512, seq 25623, length 8

i believe this means 112.X.X.13 is making ICMP request to 115.X.X.62

But none of the above ip belongs to me nor to my virtual machines.Then why is it showing in my interface.

If i have enabled promiscuous mode then does that mean,all the packets going through that switch will reach my interface.

asked 03 Apr '13, 23:29

krrypto's gravatar image

krrypto
6224
accept rate: 0%


3 Answers:

1

Do the IP's belong to other systems in the network where your machines are located? If so, then these packets are most likely flooded by the switch. A switch will forward a packet to all ports in the same vlan if the destination mac-address of the packet is unknown to the switch. This can be caused by:

  • a system that has been shut off, but it still receives traffic (arp timeouts are usually longer than switch forwarding table timeouts)
  • There is asymmetric routing and so one switch does not see outgoing packets from the particular system
  • The system has not send any packet for a while
  • etc.

answered 05 Apr '13, 00:31

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

Promiscuous mode means all packets passing by the network interface will be captured, it doesn't affect the switch that the NIC is connected to.

answered 04 Apr '13, 01:27

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

can u tell me how can a packet which is not intended for my machine enters my interface.

(04 Apr '13, 02:42) krrypto

0

tcpdump -i cloudbr0 icmp

cloudbr0 sounds like a bridge interface on Linux. If your sniffer system runs in bridge mode, that might be the reason why you see traffic of other systems. Without a detailed description of your setup, it is hard to tell what is going on. So, can you please add some information about that cloudbr0 interface and how the systems are connected to the switch and if the switch is a real switch and not just a switching hub.

BTW: Your switch may run in fail open mode due to may errors on a port. In fail open mode, it will basically work like a hub and you will see all traffic. Please check the switch logs.

Regards
Kurt

answered 05 Apr '13, 01:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 05 Apr '13, 01:53