Could I get other host's TCP packets on my computer?

1
votes

I use wireshark to capture the packets of my computer. I want to get the packets of 219.231.143.116(source ip) ,and my ip is 219.231.143.220(destination ip).

In fact,I got what i wanted, but to my surprise,I got some others' packets.Those packets' source IP and destination IP were not 219.231.143.116 or 219.231.143.220.

As I know,tcp is a 3rd layer in TCP/IP protocol,the switch would not send those packets that don't belong to me. So,the problem is why could i capture them on my computer? Is this the issue of wireshark or the switch?

(Due to my level is too low,so the image is here,i'm sorry!) http://mysource.lofter.com/post/1cfd51e8_55d5972

1
socketsnetworkingtcpwiresharkcapture
Your NIC could be in promiscuous mode. - nouney
But a network adapter in promiscuous mode still can't capture packets not sent to it in the first place, and, if the network interface on the computer running Wireshark was plugged into a switch, and the switch port wasn't set up as a "mirror port" so that the switch forwards other traffic to it, unicast traffic not to or from that network interface's MAC address won't even be sent to that interface. - user862787
So the computer running Wireshark is plugged into a network switch (rather than a hub)? Are you seeing a lot of that traffic, or just a few packets to or from other hosts? What is the MAC address of the interface that's plugged into the switch? - user862787
If an ethernet switch doesn't know which port a MAC address belongs to, it will flood the packet out on all ports. And it'll likely learn the MAC address to port mapping once the receiving host which owns the unknown MAC address replies to those packets. - nos
Yes,I am sure that my computer is plugged into a switch(you could see the image I uploaded. The switch is called by "HangZhou_90:c7:00".It's one of the H3C's products.)@GuyHarris - Justin

1 Answers

0
votes

The switch decides which packets to send you. You can't change this. You can only filter out (in Wireshark) the packets you don't want to work with.

Wireshark will show you all the packets you actually receive (in promiscuous mode).

All the additional packets you highlight in your image are TCP Retransmission packets. The switch may be casting the packets wider because retransmissions are occuring, so something is timing out. Or, there may be a broadcast or multicast flag set in the packet, as the source attempts to get it's retransmissions heard.

You won't get a lot of packets destined for other computers, and you won't get a complete sequence of sent & received packets belonging to another device (unless you configure the switch to do so with port mirror)

If you really really don't want to see or leak those packets to a particular device, you could use a physical firewall like pfsense or a router between you and the switch, to absolutely filter out multicast traffic originating in your network. This would be an usual use case.