First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is it promiscuous mode doing this?

  • retag add tags

I have a wired ethernet connection. My PC is connected to a CISCO Switch This switch is NOT in mirrored mode.

When I startup Wireshark (with promiscuous mode on). I see every bit of traffic on the network (not just broadcasts and stuff to .255.)

When I turn promiscuous off, I only see traffic to and from my PC and broadcasts and stuff to .255.

The wireshark application is running on my computer that is wired. It doesn't get packets unless it traverses that physical wire. The switch shouldn't be seeing the traffic whether I have promiscuous on or not. I've tried the same on a wired laptop (different VLAN) and it behaves the same.

This is a switch, not a hub. Could wireshark somehow be telling the switch to send all packets?

dennis's avatar
1
dennis
asked 2019-08-28 00:13:24 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

This switch is NOT in mirrored mode.

I.e., none of the switch ports, including the port into which the PC is plugged, are set up as mirror ports?

Could wireshark somehow be telling the switch to send all packets?

Unlikely. It has no code to do so; it turns on promiscuous mode by telling libpcap/WinPcap/Npcap to open the adapter for capture in promiscuous mode, and libpcap/WinPcap/Npcap implement that by making calls that end up with the driver being told to turn promiscuous mode on for the adapter. Neither libpcap nor WinPcap nor Npcap send out any "make this a mirror port" packets, if Cisco switches even support packets of that type. I don't know of any OSes where turning on promiscuous mode causes such a packet to be sent, either, so if it's being sent, it's a result of a change to standard Wireshark, standard libpcap/WinPcap/Npcap, or standard OS code.

There shouldn't be any indication on the wire to the switch to indicate that the device is in promiscuous mode, so the most likely explanation is that, for some reason, all packets are being sent to the port(s) into which you've plugged the machines running Wireshark. Have you tried it on multiple switch ports, or just one particular port?

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-08-28 01:13:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

None of the ports I am plugged into are setup to be mirror ports.

If I try I on another device, and another port, and a different VLAN (different class C address), the "problem" still occurs. I see all traffic for that class C address. It is the same CISCO switch.

dennis's avatar dennis (2019-08-28 16:45:20 +0000) edit
more
  • delete

Then it sounds as if your switch is doing something weird. You might want to ask Cisco about that.

Guy Harris's avatar Guy Harris (2019-08-28 17:48:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer