i have 3 other windows computers in my lan, when i run tcpdump it shows me the the packets in&out my NIC (eth0) only even i choose all interfaces. is there a way to see what the other computers in my lan doing in internet!

"tcpdump -i eth0" should show you all traffic on your local lan segment. After you start tcpdump, check the end of /var/log/messages and you should see
": device eth0 entered promiscuous mode". My understanding is that not all cards/drivers support promiscuous mode though..

You also have to bear in mind that if you're using a switch rather than a hub for your network connection then you may not see traffic for other hosts anyway, as the switch will be sending them appropriately and your nic wll never see those frames. Again, my understanding is that WPA wireless networks work in the same way, so you'll only see broadcast frames.

Also, don't use the '-i any', as that won't use promiscuous mode.

1 members found this post helpful.

actually um using a "TP-Link router" and every host is directly connected(no switches) to a router port. and also i see only the broadcast packets like u said./var/adm/messages say that it is in promiscuous mode.is it possible to check the packets in this case?

If you're not seeing any traffic except broadcasts when in promiscuous mode then it seems likely that your router contains an internal switch rather than a hub. Best advice I can offer is have a read through your router manual and see if there is any mention of switching and whether you can disable it.

That router is actually a router+switch.
You won't be able to see packages from other computers to that router.

Only "professional" switches and routers have the capability to mirror certain ports to another port, so that you can capture packages that are not supposed to go to your computer.
If you *really* need to see packages from all systems going to the internet for example, you might want to build a small Linux router (can be an older box, but it needs two NICs) and put it between the router and a cheap switch.

1 members found this post helpful.

Wow, looks like I was living in the past..

Just had a quick look around, and sadly, the old layer 1 repeating hubs are long gone. Seems everything is a switch these days. Pity, despite their drawbacks they were useful at times.

@GAZL yes it contains an internal switch but there is nothing indicating how to disable the switch :s

@niels.horn i don't have a professional router though , i don't *really* need to see packages from all hosts but i just was curious about that, i think i can't build that linux router um just linux newbie

@idnotcrae: When I installed my first Linux router I also was a newbie. That's the way we learn new things, especially if it's just a hobby project, without your boss wanting immediate results

not sure here, but as far as I know you could relay the traffic with arp poisoning. What I don't know is if you can do it on a separate branch of the router (if you connect each host to a port on the router and each of them is in a separate subnet), and I don't know if Linux hosts believe and accept the poisoning the same way as MS hosts do (at least <= XP do). This also means that all traffic of other hosts will go through your host thus will slow down connection speed. Check out Ettercap, although it is no longer maintained, it works well in some cases.

yup u r right it's the way we learn things, but for now i have other things keep my mind busy enough and have higher priority like learning the basics well first then other stuff like building routers will be well understood

@wargus what is arp poisoning exactly mean, i don't have any other linux hosts in the lan the other hosts tun windows xp

I guess here it is explained better than I could do in english...

i trust u more than wikipedia, but i'll have a look