tcpdump to watch *other* machines

Discussion in 'Linux Networking' started by wlcna, Aug 30, 2003.

  1. wlcna

    wlcna Guest

    I'm trying to watch http traffic initiated from machine A on a LAN from
    machine B on same LAN, a linux box. This is mostly for convenience so I
    don't need to install extra stuff on machine A. This is a simple home
    LAN, not a business. I tried,

    tcpdump 'dst port 80'

    and

    tcpdump 'tcp port 80'

    and in either case only saw traffic where the linux machine was involved.

    So I thought, duh, maybe it's because I have a switch and not a hub, since
    the purpose of a switch is to *not* send packets not involving a machine
    down *all* the wires like a hub does, right? Is that the only problem?
    This is something tcpdump is supposed to be able to do, right? (I.e.
    assuming a simple, cheap hub or old-fashioned coax ethernet "backbone"
    type connections.)
     
    wlcna, Aug 30, 2003
    #1
    1. Advertisements

  2. Yes, that is the problem, the switch doesn't send non broadcast packets
    from machine A which are not destined for machine B to machine B.
    There's nothing tcpdump can do about it when the packets don't even
    appear on the interface.

    If you used a hub instead it would indeed work as you expect.

    You can get switches which will replicate traffic on one port onto
    another for this purpose. But these tend to be the very expensive
    "managed" variety, not the cheapo dumb ones people usually use on home
    networks.

    If you have a normal basic cheap switch then you have to run tcpdump on
    one of the machines involved in the connection to see the packets.

    If I'm interested in what a machine on the LAN is sending to the
    Internet then I'll run tcpdump on the router, as all the external
    traffic obviously has to pass through it. I don't really care about what
    machines on the LAN are sending to each other.

    Regards, Ian
     
    Ian Northeast, Aug 30, 2003
    #2
    1. Advertisements

  3. wlcna

    wlcna Guest

    A sanity check, since it's my first time using it. I like that command!
    Thanks very much again.
     
    wlcna, Aug 30, 2003
    #3
  4. wlcna

    Bill Unruh Guest

    ]I'm trying to watch http traffic initiated from machine A on a LAN from
    ]machine B on same LAN, a linux box. This is mostly for convenience so I
    ]don't need to install extra stuff on machine A. This is a simple home
    ]LAN, not a business. I tried,

    ]tcpdump 'dst port 80'

    ]and

    ]tcpdump 'tcp port 80'

    man tcpdump
    Look at the host option.


    ]and in either case only saw traffic where the linux machine was involved.

    ]So I thought, duh, maybe it's because I have a switch and not a hub, since
    ]the purpose of a switch is to *not* send packets not involving a machine
    ]down *all* the wires like a hub does, right? Is that the only problem?

    Seems to be one problem.

    ]This is something tcpdump is supposed to be able to do, right? (I.e.

    I do it all the time.


    ]assuming a simple, cheap hub or old-fashioned coax ethernet "backbone"
    ]type connections.)
     
    Bill Unruh, Aug 30, 2003
    #4
  5. A bit of a drastic method of traffic snooping on the part of the
    legitimate network administrator don't you think? :)

    I'm not sure exactly what the OP is trying to do but I would be
    surprised if there wasn't a better way to achieve it than that.

    I once needed to capture all LAN traffic to and from a couple of
    machines without using them, as I couldn't trust what they were
    reporting themselves. The problem turned out to be dodgy daughter boards
    that the NICs were plugged into. On this occasion I removed the problem
    machines from the switch and put a hub in, and attached a sniffer to the
    hub. Performance wasn't an issue as they weren't working properly in the
    first place.

    Regards, Ian
     
    Ian Northeast, Aug 30, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.