tshark: why is -p (no promiscuous mode) not working for me?

asked 2022-06-17 17:28:52 +0000

brec gravatar image

sudo tshark -i enp2s0 -p on Ubuntu.
New user. The host has another wire interface, enp1s0, also. Both interfaces are on the same local subnet. When I first used this command a few days ago it didn't capture any traffic for which the specified interface was not the src or dst. But today it's showing me everything on the local subnet, including, e.g., SSH traffic on enp1s0.

I did a little research on promiscuous mode, and wondered if enp2s0 had been put in it by some accident. I did sudo ifconfig enp2s0 -promisc but that didn't help.

edit retag flag offensive close merge delete

Comments

What's the output of sudo ifconfig enp2s0?

# ifconfig eth1 
eth1: flags=4419<up,broadcast,running,promisc,multicast>  mtu 1500
...

# ifconfig eth1 -promisc

# ifconfig eth1 
eth1: flags=4163<up,broadcast,running,multicast>  mtu 1500
...
Chuckc gravatar imageChuckc ( 2022-06-17 21:01:00 +0000 )edit

@Chuckcenp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

brec gravatar imagebrec ( 2022-06-17 21:06:42 +0000 )edit

it's showing me everything on the local subnet, including, e.g., SSH traffic.

I.e., it's showing you traffic that's not multicast or broadcast (SSH runs over TCP, so it's unlikely to be multicast or broadcast traffic) and that's neither to nor from the MAC address of enp2s0?

Guy Harris gravatar imageGuy Harris ( 2022-06-17 21:31:43 +0000 )edit

@Guy_Harris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently:

1 0.000000000 192.168.50.10 → 192.168.50.200 SSH 286 Server: Encrypted packet (len=220)
2 0.635631551 TP-Link_10:15:3b → Broadcast    0x8899 60 Realtek Layer 2 Protocols
3 0.724978513 192.168.50.10 → 192.168.50.200 SSH 198 Server: Encrypted packet (len=132)

enp2s0's ip address is 192.168.50.212. tshark, at least with only the -p option, doesn't show MAC addresses. 192.168.50.10 is enp1s0 -- with which 192.168.50.200, another host, is the SSH client. TP-Link is a switch.
Off topic: there's probably a way to tag you with "@" but "GuyHarris" didn't work so I tried the underscore.

brec gravatar imagebrec ( 2022-06-17 21:43:35 +0000 )edit
add a comment