What is a cache flush, and how do you explain this TCPdump pattern?

1

1

I ran TCPdump a few times on my home network and found a lot of packets that were marked (Cache Flush), seemingly originating with my sister's laptop. I can't see any HTTP or HTTPS packets during the time periods that I was running TCPdump, which is odd, because I'm pretty sure people were browsing the web at the time, and I also only saw the cache flushes originating from her computer, not from anyone else's. What do these cache flushes mean? Are they remnants from an HTTP or HTTPS session? And why am I not seeing any HTTP/HTTPS packets in TCPdump, despite the fact that other people in the house were online? Is it simply a matter of me not running TCPdump while anyone was loading a web page? Or is it something else? There seems to still be a lot I don't understand about networking.

Zen Hacker

Posted 2015-12-24T16:38:39.487

Reputation: 353

Answers

0

Your question is incomplete – many tcpdump markings are protocol-specific, so just saying "packets marked (Cache Flush)" means nothing at all; you need to post the full packet information.

In particular, "(Cache Flush)" is a parameter of mDNS packets, which are used for service discovery within the LAN. Computers running mDNS (usually OS X, but also some Linux systems, or Windows with iTunes) periodically send packets saying "my name is ZenComputer.local" (as well as additional information about offered services), and the "cache flush" bit basically means "forget all old information about this name and cache the new information".

(On that note, you might be better off using tshark or Wireshark – they usually generate more consistent and less confusing output.)

You are not seeing HTTP/HTTPS packets because you don't have any HTTP or HTTPS connections active. In other words, you're only seeing broadcasts and your own traffic.

If you use Wi-Fi, your computer's Wi-Fi adapter automatically discards all packets with the "wrong" address (partly to not waste power by bothering the OS about garbage). It might be possible to see them using the 'promisc' or 'monitor' modes (see Capture/WLAN in Wireshark's website), but often that's only supported on Linux.

If you have a wired connection, you won't receive these packets at all. Practically all Ethernet networks these days are switched – each Ethernet port remembers the MAC addresses of computers connected to it, and only sends packets to the right port. (While 15 years ago Ethernet hubs would send everything everywhere and you could see the data by enabling promiscuous mode, that's not true anymore.)

user1686

Posted 2015-12-24T16:38:39.487

Reputation: 283 655

I thought promiscuous mode was enabled by default. How would enabling promiscuous mode allow you to see unicast packets not destined for your computer if they're discarded by your wireless card? Does the libpcap software have some control over the behavior of the wireless card? – Zen Hacker – 2015-12-24T20:03:54.323

It'd tell the wireless card to stop discarding them, of course. (Actually, yeah, tcpdump always enables it during capture – but not all wireless drivers honor the option. Again, you'll have better luck with it on Linux.) – user1686 – 2015-12-24T20:42:28.287

1(Actually, libpcap supports monitor mode better on OS X than on any other OS, as it's the OS on which it has to do the smallest amount of painful cr*p in order to turn monitor mode on. Promiscuous mode is supported pretty much equally well on all OSes supported by libpcap, although turning it on for a Wi-Fi device doesn't work well at all on Windows. It's not clear whether promiscuous mode does anything useful on any Wi-Fi devices.) – None – 2015-12-25T07:54:40.017

Asked: 2015-12-24T16:38:39.487

Viewed: 2 276 times

Active: 2015-12-24T19:35:38.533