-1

screenshot from wireshark

My IP was configured as 192.168.101.91, I don't understand why my host is receiving packets which have a destination address of 192.168.87.203(and many other IPs which I didn't capture) given that I have already shutdown my KVM and disabled ip forward. Shouldn't TCP/IP filter these packets?

xczzhh
  • 109
  • 2
  • 6
  • 1
    There could be several reasons for this; `1.` Wireshark is running in promiscuous mode and you're connected to a hub rather than a switch. `2.` You're connected to a switch and you're mirroring traffic to the switch port that your Wireshark computer is connected to. `3.` The traffic is being flooded to all switch ports because the destination MAC address to switch port "mapping" doesn't exist in the switches MAC address table. – joeqwerty May 31 '15 at 05:53
  • 5
    Look at the window's title bar: (s)he's dumping a wireless interface. – MadHatter May 31 '15 at 05:54

1 Answers1

5

Wireshark, being a network sniffer, put both the interface firmware (if present) and driver into promiscuous mode, meaning that it instruct the network stack to capure any packets arriving at your interface.

So the real question is: why packets from others IP arrive at your interface? It is due to how wireless ethernet networks work: the AP basically use its radio interface to broadcast packets to all nearby listener. Normally, when an interface receive the packets, it check if it should grab and process it or if it should discard the received frame. This is done using the information encoded in the DST MAC field: if the destination MAC is equal to the interface MAC, the packet is accepted, otherwise it is dropped.

However, Wireshark changed that, telling the interface firmware/driver that you actually want any packets arriving to it. This is the reason why you see packets not meant for you.

If you don't want to see these extraneous packets, you have two options:

  • de-select the promiscuous mode option from wireshark;
  • use wireshark's filtering capabilities to filter out the un-interesting packets
shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • "the AP basically use its radio interface to broadcast packets to all nearby listener" 1. What about in ethernet cable? 2. What you say is broadcast, but why in wireshark I dont see "broadcast" in dest column? just like when arp broadcast do, instead I just see source is ip, and destination is ip. @shodanshok – Dark Cyber May 28 '19 at 12:52
  • 1
    @DarkCyber 1. an *hub* would broadcast any packets to any interfaces, while a *switch* would simulate a point-to-point connection between src and dst, avoiding any unnecessary transmission; 2. a true broadcast will have 255.255.255.255 and ffff:ffff:ffff:ffff as IP/MAC destinations, and that kind of explicit broadcast will be visible on switched networks also. However, an hub or wifi based network will broadcast even unicast packets - ie: packet with specific destinations. – shodanshok May 28 '19 at 16:14
  • @DarkCyber For more information, I strongly suggest reading [something as that](https://www.esds.co.in/blog/difference-between-unicast-broadcast-and-multicast/#sthash.7k0kFFUg.dpbs) – shodanshok May 28 '19 at 16:14