I have several NICs I'm using for wireshark captures and I want them to listen only - no outbound traffic ever. I'm thinking the easiest way to do this is to not specify a gateway for the NIC, which may or may not have an IP address associated with the current LAN. Am I on the right track?
Partly. Bring up the interface without any IP(4/6) address assigned, nor start a DHCP or other network configuration client of course, to have an idle interface which is not likely to send out any frames.
Very interesting - I never even thought of that, I think my head just exploded. So basically put a NIC on the net with no IP address and open it in promiscuous mode and sniff away. Interesting, I hadn't considered they would still listen if not configured.
Suppose I had a NIC that needed to be on a certain IP address - say for output from the local cable router DMZ. What then, back to the no gateway scheme?
Actually no - again! Open in promiscuous mode and filter the the IP address I'm interested in from the router DMZ. Thanks for some good ideas.
OK, fantastic - but how does this impact the construction of the local ARP table - if there's no entry in the ARP table for the "quiet" NIC does the switch just flood the clients hoping someone is listening (which we would be) or reject the packet outright?
Comments