I’ve been trying to use tcpdump to capture packets to a target IP on my subnet, but am unable to do so successfully. I’ve tried:
tcpdump -i eth0 net network-ip-address/27 -A and tcp port 80But it only gives me the packets I send from my IP to the target IP, not the packets other people are sending it.
I’m starting to wonder whether or not capturing all such packets is even possible. If not, can you please explain why? If yes, can you please tell me how to do this and the idea behind how it works.
Note, this is on a dummy network designed for learning purposes, not an actual network.
Answer
Your computer is probably connected to an Ethernet switch, which is only going to transmit broadcast traffic or traffic bound to your computer’s MAC address. This is the difference between a switch, which gives each computer a dedicated Ethernet collision domain, and an Ethernet hub, which shares a collision domain across all connected devices. In a shared-medium Ethernet network all frames are “seen” by all devices attached to the shared-medium. In a switched Ethernet network that’s not the case.
Moving all the computers in the subnet to a shared-medium device (plugging them into an Ethernet hub) is probably not an option (because you probably don’t have an Ethernet hub available).
You could use a tool that “floods” the switch MAC table with fake addresses, forcing it to flood frames out all ports and thereby making it functionally like a hub. This isn’t something I’d do if I didn’t have permission from the owner of the switch, but since it’s your network that’s not an issue. The ettercap tool is an example of a tool that can perform the MAC flooding I’m discussing.
Capturing all traffic leaving a subnet can typically be facilitated by using built-in monitoring functionality in the switch (port monitoring, or “SPAN” ports in Cisco terminology) to duplicate the traffic on the port connecting the subnet to its gateway router. Using an Ethernet tap to capture traffic heading to a single device is also a viable strategy.
Attribution
Source : Link , Question Author : Hikari , Answer Author : Evan Anderson
