Wireshark and Promiscuous Mode

Why you may not be seeing all the traffic you think you should

“Promiscuous mode” (you’ve gotta love that nomenclature) is a network interface mode in which the NIC reports every packet that it sees. If you’re using the Wireshark packet sniffer and have it set to “promiscuous mode” in the Capture Options dialog box, you might reasonably think that you’re going to be seeing all the traffic on your network segment. This is not necessarily the case, and there could be several reasons for it. So before you use this tool to draw conclusions about traffic on your Windows network, it’s worth seeing if you’re really capturing what you think you’re capturing. If you’re connected to a switch as opposed to a hub, broadcast traffic and multicast traffic will go to all ports, but unicast traffic does not. Check your switch to see if you can configure the port you’re using for Wireshark to have all traffic sent to it (“monitor” mode), and/or to “mirror” traffic from one port to another. (Here’s one of the benefits of those more expensive managed switches.) The Wireshark SwitchReference page could be helpful here; it’s at http://wiki.wireshark.org/SwitchReference. You might think that you could revert to using an old-style hub, given that hubs don’t segment network traffic as switches do; and this “hubbing out” method might work, but even hubs don’t necessarily pass all traffic. For example, on some multispeed hubs, listening on a 100 Mbps port may not capture traffic on ports operating at 10 Mbps. Separate from any hub and switch issues, some network interfaces do not allow themselves to be thrown into promiscuous mode. So if you think your network plumbing should permit promiscuous mode, you may want to check the NIC manufacturer’s website to see if there’s an issue there. Sometimes there’s a setting in the driver properties page in Device Manager that will allow you to manually set promiscuous mode if Wireshark is unsuccessful in doing so automatically. Some network interfaces even have a driver setting that permits an administrator to *permanently* disable promiscuous mode on that adapter! So before you make any grand pronouncements about the results of your Wireshark research, make sure you inform yourself about the ways in which the traffic that you’re capturing may not be showing the whole picture. This tool is easy to use for capturing traffic in and out of one specific host, but beyond that, there are a lot of variables to consider!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.