LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-06-2017, 04:40 PM   #1
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,167

Rep: Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889
tcpdump doesnt show all network traffic


hi, i am running this on my desktop connected via cat-5:
Code:
[schneidz@hyper ~]$ uname -a -m -p
Linux hyper 4.12.13-200.fc25.x86_64 #1 SMP Thu Sep 14 16:12:37 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[schneidz@hyper ~]$ tcpdump --version
tcpdump version 4.9.0
libpcap version 1.7.4
OpenSSL 1.0.2k-fips  26 Jan 2017
[schneidz@hyper ~]$ sudo tcpdump -i enp0s10 host 192.168.1.125
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s10, link-type EN10MB (Ethernet), capture size 262144 bytes
and then i go to linuxquestions.org on my laptop connected via wifi but my desktop doesnt show any activity.
how do i see what webpages are being browsed on my laptop ?
 
Old 12-07-2017, 04:34 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,574

Rep: Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929
Why would you think a tcpdump on your desktop would show the results on your laptop? Is your desktop the WiFi AP or is it acting as the router? What's the significance of 192.168.1.125?

Without knowing your actual network topology and what you want to achieve it's hard to give you an answer.

If you've a "typical" setup where you've an ISP supplied Router/WiFi where you've cabled your desktop and your laptop is WiFi then tcpdump won't see any traffic. That's how switches work now, they switch packets between source and destination. Setting "promiscuous" mode on a NIC will only capture traffic on the segment the NIC is on. Back in the days of hubs you'd get all the traffic but with intelligent switching that's long gone.
 
Old 12-07-2017, 09:07 AM   #3
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,167

Original Poster
Rep: Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889
hi, i have a cisco wifi router (192.168.1.1) connected to the cable internet transceiver that i am renting from my telecom.
192.168.1.25 (hyper) is my desktop connected via cat-5.
192.168.1.125 (stanley) is my laptop connected via wifi.


i also tried scanning using wireshark in promiscuous mode. my (incorrect ?) understanding is that all the network cards on my network had the ability to see all traffic whizzing by but normally ignore every packet that doesnt have their ip-address associated with it.

with wireshark and tcpdump i see some unrelated stuff from my kodi-htpc downstairs as well as other computers without a hostname (probably tablet and cellular-telefone):
Code:
[schneidz@hyper ~]$ sudo tcpdump -i enp0s10 host not hyper
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s10, link-type EN10MB (Ethernet), capture size 262144 bytes
09:05:37.043400 IP6 hyper > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
09:05:37.159912 IP6 fe80::2c20:5279:87f1:6bdf > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
09:05:38.170784 IP gateway > all-systems.mcast.net: igmp query v2
09:05:42.060499 IP gateway > 224.0.0.251: igmp v2 report 224.0.0.251
09:05:44.750525 IP gateway > all-routers.mcast.net: igmp v2 report all-routers.mcast.net
09:05:46.620572 IP gateway > 239.255.255.250: igmp v2 report 239.255.255.250
09:06:04.247699 IP xbmc.6798 > 239.255.255.250.ssdp: UDP, length 160
09:06:04.250121 IP xbmc.6798 > 239.255.255.250.ssdp: UDP, length 160
09:19:35.677040 IP 192.168.1.127.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c8:5b:76:aa:6b:9a (oui Unknown), length 300
09:19:38.678514 IP 192.168.1.127.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c8:5b:76:aa:6b:9a (oui Unknown), length 300
09:19:46.813767 IP 192.168.1.111.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from a4:02:b9:bb:e5:c2 (oui Unknown), length 300
09:19:50.198902 IP 192.168.1.111.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from a4:02:b9:bb:e5:c2 (oui Unknown), length 300
seems inconsistent what data i am capable of seeing and what not ?

Last edited by schneidz; 12-07-2017 at 09:21 AM.
 
Old 12-07-2017, 09:14 AM   #4
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,574

Rep: Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929
Quote:
Originally Posted by schneidz View Post
my (incorrect ?) understanding is that all the network cards on my network had the ability to see all traffic whizzing by but normally ignore every packet that doesnt have their ip-address associated with it.
Kind of but not now. It used to be like that when "dumb" hubs were used for ethernet. Now with switches the packets are switched between source and destination. Some high end switches can have a port designated to receive ALL traffic that passes through the switch (usually for intrusion detection purposes) so you MAY have that ability in your Cisco, depending on the model.

Quote:
Originally Posted by schneidz View Post
with wireshark and tcpdump i see some unrelated stuff from my kodi-htpc downstairs:
Code:
[schneidz@hyper ~]$ sudo tcpdump -i enp0s10 host not hyper
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s10, link-type EN10MB (Ethernet), capture size 262144 bytes
09:05:37.043400 IP6 hyper > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
09:05:37.159912 IP6 fe80::2c20:5279:87f1:6bdf > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
09:05:38.170784 IP gateway > all-systems.mcast.net: igmp query v2
09:05:42.060499 IP gateway > 224.0.0.251: igmp v2 report 224.0.0.251
09:05:44.750525 IP gateway > all-routers.mcast.net: igmp v2 report all-routers.mcast.net
09:05:46.620572 IP gateway > 239.255.255.250: igmp v2 report 239.255.255.250
09:06:04.247699 IP xbmc.6798 > 239.255.255.250.ssdp: UDP, length 160
09:06:04.250121 IP xbmc.6798 > 239.255.255.250.ssdp: UDP, length 160
seems inconsistent what data i am capable of seeing and what not ?
Not inconsistent, it looks like what you're seeing is UDP "broadcast" traffic which would show up on all the machines in the subnet.
 
1 members found this post helpful.
Old 12-07-2017, 09:17 AM   #5
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,574

Rep: Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929Reputation: 929
You may have better luck with a wireless NIC in the desktop to try and capture the WiFi traffic, depending on whether or not the card and driver support promiscuous mode.
 
Old 12-07-2017, 09:33 AM   #6
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,167

Original Poster
Rep: Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889Reputation: 889
Quote:
Originally Posted by TenTenths View Post
You may have better luck with a wireless NIC in the desktop to try and capture the WiFi traffic, depending on whether or not the card and driver support promiscuous mode.
yup... i'll give that a shot. an excuse for me to play around with airsnort
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Log tcpdump traffic to file AsadMoeen Linux - Networking 3 05-10-2012 04:26 PM
Wireless network connects and works fine, but doesnt show up on the network manager newbie236 Linux - Newbie 1 07-07-2010 01:47 AM
filter outgoing traffic with tcpdump m4rtin Linux - Networking 3 05-14-2010 02:42 AM
Help with tcpdump to capture traffic. abefroman Linux - Networking 4 04-04-2008 04:08 AM
tcpdump wont show the correct amount of traffic in single port scan? positrox Linux - Networking 0 08-05-2006 10:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration