tshark: why is -p (no promiscuous mode) not working for me?

sudo tshark -i enp2s0 -p on Ubuntu.
New user. The host has another wire interface, enp1s0, also. Both interfaces are on the same local subnet. When I first used this command a few days ago it didn't capture any traffic for which the specified interface was not the src or dst. But today it's showing me everything on the local subnet, including, e.g., SSH traffic on enp1s0.

I did a little research on promiscuous mode, and wondered if enp2s0 had been put in it by some accident. I did sudo ifconfig enp2s0 -promisc but that didn't help.

brec's avatar
18
brec
asked 2022-06-17 17:28:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What's the output of sudo ifconfig enp2s0?

# ifconfig eth1 
eth1: flags=4419<up,broadcast,running,promisc,multicast>  mtu 1500
...

# ifconfig eth1 -promisc

# ifconfig eth1 
eth1: flags=4163<up,broadcast,running,multicast>  mtu 1500
...
Chuckc's avatar Chuckc (2022-06-17 21:01:00 +0000) edit
more
  • delete

@Chuckc enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

brec's avatar brec (2022-06-17 21:06:42 +0000) edit
more
  • delete

it's showing me everything on the local subnet, including, e.g., SSH traffic.

I.e., it's showing you traffic that's not multicast or broadcast (SSH runs over TCP, so it's unlikely to be multicast or broadcast traffic) and that's neither to nor from the MAC address of enp2s0?

Guy Harris's avatar Guy Harris (2022-06-17 21:31:43 +0000) edit
more
  • delete

@Guy_Harris That's right. Here are the first three lines of output from sudo tshark -i enp2s0 -p recently:

1 0.000000000 192.168.50.10 → 192.168.50.200 SSH 286 Server: Encrypted packet (len=220)
2 0.635631551 TP-Link_10:15:3b → Broadcast    0x8899 60 Realtek Layer 2 Protocols
3 0.724978513 192.168.50.10 → 192.168.50.200 SSH 198 Server: Encrypted packet (len=132)

enp2s0's ip address is 192.168.50.212. tshark, at least with only the -p option, doesn't show MAC addresses. 192.168.50.10 is enp1s0 -- with which 192.168.50.200, another host, is the SSH client. TP-Link is a switch.
Off topic: there's probably a way to tag you with "@" but "GuyHarris" didn't work so I tried the underscore.

brec's avatar brec (2022-06-17 21:43:35 +0000) edit
more
  • delete
add a comment see more comments