Ask Your Question
0

Is it promiscuous mode doing this?

asked 2019-08-28 00:13:24 +0000

dennis gravatar image

I have a wired ethernet connection. My PC is connected to a CISCO Switch This switch is NOT in mirrored mode.

When I startup Wireshark (with promiscuous mode on). I see every bit of traffic on the network (not just broadcasts and stuff to .255.)

When I turn promiscuous off, I only see traffic to and from my PC and broadcasts and stuff to .255.

The wireshark application is running on my computer that is wired. It doesn't get packets unless it traverses that physical wire. The switch shouldn't be seeing the traffic whether I have promiscuous on or not. I've tried the same on a wired laptop (different VLAN) and it behaves the same.

This is a switch, not a hub. Could wireshark somehow be telling the switch to send all packets?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-28 01:13:54 +0000

Guy Harris gravatar image

This switch is NOT in mirrored mode.

I.e., none of the switch ports, including the port into which the PC is plugged, are set up as mirror ports?

Could wireshark somehow be telling the switch to send all packets?

Unlikely. It has no code to do so; it turns on promiscuous mode by telling libpcap/WinPcap/Npcap to open the adapter for capture in promiscuous mode, and libpcap/WinPcap/Npcap implement that by making calls that end up with the driver being told to turn promiscuous mode on for the adapter. Neither libpcap nor WinPcap nor Npcap send out any "make this a mirror port" packets, if Cisco switches even support packets of that type. I don't know of any OSes where turning on promiscuous mode causes such a packet to be sent, either, so if it's being sent, it's a result of a change to standard Wireshark, standard libpcap/WinPcap/Npcap, or standard OS code.

There shouldn't be any indication on the wire to the switch to indicate that the device is in promiscuous mode, so the most likely explanation is that, for some reason, all packets are being sent to the port(s) into which you've plugged the machines running Wireshark. Have you tried it on multiple switch ports, or just one particular port?

edit flag offensive delete link more

Comments

None of the ports I am plugged into are setup to be mirror ports.

If I try I on another device, and another port, and a different VLAN (different class C address), the "problem" still occurs. I see all traffic for that class C address. It is the same CISCO switch.

dennis gravatar imagedennis ( 2019-08-28 16:45:20 +0000 )edit

Then it sounds as if your switch is doing something weird. You might want to ask Cisco about that.

Guy Harris gravatar imageGuy Harris ( 2019-08-28 17:48:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-28 00:13:24 +0000

Seen: 920 times

Last updated: Aug 28 '19