Ethereal capturing a source and destination that is not its ip

Unanswered Question
Jul 19th, 2007

Got a question in regards to ethereal capturing a source and destination set of ip addresses that do not include the ip of the device that I capture on. Is this due to promiscuous mode?

Say the capture nic card is 10.0.0.1 I am getting in some of the capture lines a source of say 10.1.2.1 with destination 10.1.2.2. Ie it does not include the pc that is running ethereal doing the capture. (i am not running rspan either).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
AJAZ NAWAZ Thu, 07/19/2007 - 23:06

Let's just clear up few things. RSPAN is only used when there is a requirement to sniff a network port on a switch that is not directly connected to the same switch as the sniffer. So the first qtn, is your Ethereal host connected to the same switch?


Secondly, if you have set a filter in Ethereal stipulating the source/destination IP pair of addresses, then the capture should only show those packets which match exactly the src/dst IP's which you have set.


Any PVLAN configuration associated with port which you are sniffing, or the port connected to Ethereal will undoubtedly throw up unexpected results, and in some cases nothing at all.


"PVLAN ports cannot be trunk ports, cannot channel, cannot have dynamic VLAN membership, and cannot be a Switched Port Analyzer (SPAN) destination."


<http://www.cisco.com/warp/public/473/63.html>


hth,

Ajaz

geraldcombs Sat, 07/21/2007 - 12:49

Ethereal (which has been renamed to Wireshark) captures in promiscuous mode by default, meaning that it will bring in all traffic that hits the NIC. Something you might want to look into is why traffic for 10.1.2.1 and 10.1.2.2 are hitting your port. Assuming you're on a switch (and not a hub), AND that you don't have SPAN configured, you shouldn't see unicast traffic between other ports (in theory, at least).


You should really think about upgrading to Wireshark, BTW. We changed the name from Ethereal in May 2006: http://www.wireshark.org/ Several major security bugs have been fixed since then.

evan2five Tue, 07/24/2007 - 18:26

Thanks for your replies, it looks like it is traffic from a server destined for a host in which the mac-address has timed out on the switch.

Actions

This Discussion