capture traffic between boards at PC using wireshark

Question

I have two board connected using ethernet interface by means of switch. I have a linux machine connected to the switch where I run wireshark. I assign same IP address range for both boards and the PC. I m able to communicate between all the three(two boards and pc). I beleive that I should be able to capture packets exchanged between the boards too at PC using wireshark (run with promiscuous mode). But unable to see any packets.? Please let me know what is wrong here? Also let me knw how to capture the traffic between the boards using the PC.

Thanks, Kmr

As the answers say, nothing is wrong here. The switch is operating as it is designed to do, which is NOT send packets to unintended machines. You can replace the switch with a hub, or do some of the fancy tricks that they have outlined. — mfinni, Oct 20 '10 at 12:54

score 1 · Answer 1 · answered Oct 20 '10 at 11:23

Switches are generally smart enough to only send packets to the correct destination port. The Linux machine will only receive traffic specifically destined for that machine, as well as broadcast traffic. In order to see everything, you will need to either:

Easy: Use a actual Ethernet hub, which broadcasts all traffic to every port.
Moderate: Setup the switch to mirror the data from one of the PC ports to the Linux machine. This will require a switch that includes this feature, which generally is only available on higher-end switches
Hard: Build/buy an Ethernet tap. http://www.enigmacurry.com/category/diy/ or http://www.sun.com/bigadmin/content/submitted/passive_ethernet_tap.jsp

A more detail discussion is at http://wiki.wireshark.org/CaptureSetup/Ethernet , including a full discussion of the port mirroring versus Ethernet tap.

Or use ARP poisoning... – Bart Silverstrim Oct 20 '10 at 11:25 — Bart Silverstrim, Oct 20 '10 at 11:25

score 0 · Answer 2 · answered Oct 20 '10 at 11:12

0

You need to ARP poison other hosts:

echo 1 > /proc/sys/net/ipv4/ip_forward
ettercap -o -T -P repoison_arp -M arp:remote /host.a.ip.addres/ /host.b.ip.addres/

or make the swith behave as a hub -- overload its MAC table

answered Oct 20 '10 at 11:12

Hubert Kario

6,361
6
36
65

Surely its only necessary to poison the cache on the switch - not on the targets (although the targets do provide a convenient end point to shoot packets at across the switch)? – symcbean Oct 20 '10 at 12:01
The targets. What arp poison does is to lie to computer A that you are computer B and to computer B that you are computer A. This way when computer A wants to contact computer B it sends packet with computer B IP, but your computer MAC. Switch sees only the MAC and sends it to you. That's also why your computer needs to have `ip_forward` enabled -- to be able to forward those packets to computer B with computer B MAC. – Hubert Kario Oct 20 '10 at 16:49

capture traffic between boards at PC using wireshark

2 Answers2