[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Promiscuous mode for ethernet device

Kevin Coyner, 2002-Dec-10 17:31 -0500:
> On Tue, Dec 10, 2002 at 01:47:41PM -0500, sean finney wrote......
> > heya,
> > 
> > iirc promiscuous mode means to listen to all traffic on the network
> > as opposed to only traffic addressed to the mac address of your ethernet
> > card.   this is real useful for passively sniffing packets on your
> > network when you don't want to / can't run it on one of the machines
> > in question.  
> One question that I've been meaning to ask and this seems to be close to
> being on-topic:  If you're running a sniffer in promiscuous mode on a 
> network that is linked together via a switch (as opposed to a hub), will
> you still be able to passively capture all packets from all boxes on the
> net?  Or is that one of the purposes of the switch - to ensure privacy?
> Is there any way around this?

You will only see the broadcast and multicast traffic, along with the
traffic to and from you system.  A switch is a multi-port bridge that
forwards traffic at layer 2, based on the destination MAC address.
The broadcast traffic is flooded to all ports on the switch while the
multicast traffic will do the same unless the switch has some multicast

This isn't designed for privacy, but rather scalability and
performance.  It's not good to put more than 100 or so systems on an
ethernet segment of hubs (repeaters) since only one systems can
transmit at time.  The number is debatable, but 100 is a good number
to start with.  

The get around this, you'd need switches that do "port mirroring", but
then this feature is limited, e.g. mirroring 16 100MB ports would
require 2-3 Gigabit ports to mirror too, and a 4GB backplane to handle
the duplication of all the traffic at full load.  Typically, you'd
mirror server and/or uplink ports, and then only to troubleshoot to
study a link.


Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to: