I've recently started learning to use TCPdump, and I find it pretty interesting. There's one thing I don't understand. When I tell it to capture packets on, say, the WiFi interface en1, it often captures packets sent or received by other hosts on the network. How can it do this? My understanding is that on a switched network, a host will only receive packets destined for that host. How is it that I can see packets destined for other hosts?
In order to know a packet is not for it, it reads the destination mac address in the frame. You are in promiscuous mode so interface will accept all frames regardless of destination, reconstitute to a packet and send to cpu
But I'm on a switched network, so the network switch will filter out packets not destined for my computer and I will not receive them. I can understand why I would be getting those packets if the network were using a hub, since a hub just broadcasts packets to all hosts, but a switch will only send them to the host they are addressed to.
This is a wireless interface so this is not on a switched network, it probably has a connection and routes to your corporate switched network, but it's not exclusive. What other wireless devices are there anywhere near that might be scanning for routers to connect to? These may be personal devices, other companies, cars with satellite navigation even looking for updates etc.
Without a physical connection, you are effectively on a hub of the radio waves.
Robin
1 Like