use of promiscuous mode

Question

I have connected 3 laptops in same LAN.

lap-1: 192.168.1.2
lap-2: 192.168.1.3
lap-3: 192.168.1.4

I made lap-1 as server and listen on 9333 port. lap-2 acts as client. Using netcat I sent data from lap2 to lap1. I'm able to capture packets using pcap in lap1. I have turned on promiscuous mode using sudo ifconfig eth0 promisc. Also in pcap_live_open method I have set promiscuous mode flag.

Then I turned off promiscuous mode and also in pcap_live_open function. Still I'm able to capture packets.

I googled about promiscuous mode and what I could infer was if device opens an interface in promiscuous mode it would able to capture all packets attached to that network.

so considering this, I made acting lap-3 as server and lap-2 remains as client. I followed the same procedure as above. I run the pcap executable in lap-1 hoping that I would able to capture packets transferred between lap-3 and lap-2 but pcap running in lap-1 is not able to do so with promiscuous mode on. All 3 laps are connected to same network.

Can anyone enlighten me the use of promiscuous mode with simple scenario?

This is my pcap code: 29988 is reverse(swap) of 9333, I'm just looking for that.

#include <pcap/pcap.h>
#include <stdint.h>

const u_char *packet;  

int main()   
{
   char *dev = "eth0";
   pcap_t *handle;        
   int j=0;
   char errbuf[PCAP_ERRBUF_SIZE];  
   struct bpf_program fp;    
   bpf_u_int32 mask;      
   bpf_u_int32 net;    
   struct pcap_pkthdr header;   
   uint8_t *ip_header_len;
   uint16_t ip_header_len_val;
   uint16_t *port;

   /* Find the properties for the device */
   while (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
      printf("Couldn't get netmask for device %s: %s\n", dev, errbuf);
      net = 0;
      mask = 0;
   }
   printf("lookedup pcap device: %s\n", dev);

   /* Open the session in promiscuous mode */
   handle = pcap_open_live(dev, BUFSIZ,1,0, errbuf);
   if (handle == NULL) {
      printf("Couldn't open device %s: %s\n", dev, errbuf);
   }
   /* Compile and apply the filter */
   if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
      printf("Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
      pcap_close(handle);
   }
   /*     if (pcap_setfilter(handle, &fp) == -1) {

        printf("Couldn't install filter %s: %s", filter_exp, pcap_geterr(handle));
        return(-1);
    }
    */ 

   /* Grab a packet */
   while ((packet = pcap_next(handle, &header)) != NULL)
   {
      uint16_t *data_size;
      uint16_t size,total_len_val,tcp_header_len_val; 
      char tdata[128];     
      uint8_t *data,*tcp_header_len;
      uint16_t *total_len;

      //ip_proto = (uint8_t *)&packet[9];
      ip_header_len = (uint8_t *)&packet[14];

      ip_header_len_val = (*ip_header_len) & 0x0F;
      ip_header_len_val = ip_header_len_val*4;
      // printf("IP header len val:%d\n",ip_header_len_val);

      port = (uint16_t *)&packet[14+ip_header_len_val+2];
      //printf("port:%d\n",*port);

      total_len = (uint16_t *)&packet[14+2];
      total_len_val = ((*total_len) >> 8) & 0x00FF;
      total_len_val = total_len_val + (((*total_len) << 8) & 0xFF00);
      //total_len_val=*total_len;
      // printf("tot len val:%d\n",total_len_val);
      tcp_header_len = (uint8_t *)&packet[14+ip_header_len_val+12];
      tcp_header_len_val = (*tcp_header_len) & 0xF0;
      tcp_header_len_val = tcp_header_len_val>>4;
      tcp_header_len_val = tcp_header_len_val * 4;
      // printf("tcp header len val:%d\n",tcp_header_len_val);
      size = (total_len_val- ip_header_len_val) - tcp_header_len_val;


      data = (uint8_t *)&packet[14+ip_header_len_val+tcp_header_len_val];

      memset(tdata,0,128);
      mempcpy(tdata,data,size);
      tdata[size]='\0';
      if((*port)==29988)
      {       
         printf("Data Packet:%s\n",tdata);
      }
   }
}

How are they connected? If you have a router, it might only send the packets to the correct port, so no packets will arrive at lap1 to capture. — Bartlomiej Lewandowski, Apr 23 '14 at 12:30

score 4 · Answer 1 · answered Apr 23 '14 at 12:30

4

I expect that when you say that they are all on the same network, that what you mean is that they are connected to the same Ethernet switch. That switch will only send data to laptop1 that is destined for laptop1. In the old days when it was common to use an Ethernet hub, then all traffic went to all connected devices, but now a switch is very cheap and hubs are no longer common. If you can find a hub, then you can try this out, but otherwise you will only ever be able to see traffic destined for your device.

answered Apr 23 '14 at 12:30

Brad Budlong

1,775
11
10

i have connected all devices thorugh router. I just need the usecase where promiscuos mode will be useful – user3550166 Apr 23 '14 at 12:35
Unless you can configure your router/switch to also forward all traffic to the port where you are sniffing or you can find an old style hub, there won't be an application. – Brad Budlong Apr 23 '14 at 12:52
1

See [the Wireshark Wiki page on Ethernet captures](http://wiki.wireshark.org/CaptureSetup/Ethernet) for a long discussion of the issues you can have when capturing on a switch, and possible solutions to those issues. (Do not assume a "router" isn't also a switch.) – Apr 23 '14 at 18:16

score 0 · Answer 2 · answered Apr 23 '14 at 12:38

0

As Brad mentioned, the router knows at which port the destined device is connected, so it only send the packets there. If you want to try this out, you can use VirtualBox or VMware, and connect the machines in a virtual network.

answered Apr 23 '14 at 12:38

Bartlomiej Lewandowski

10,771
14
44
75

use of promiscuous mode

2 Answers2