How to capture all incoming packets to NIC even those packets are not belonging to me
AFAIK, the NIC receives all packets from the wire in a Local Area Network but rejects those packets which their destination address is not equal to its ip.
Correction: it rejects those packets which their destination MAC address is not equal to its MAC address (or multicast or any additional addresses in its filter.
Packet capture utilities can trivially put the network device into promiscuous mode, which is to say that the above check is bypassed and the device accepts everything it receives. In fact, this is usually the default: with tcpdump
, you have to specify the -p
option in order to not do it.
The more important issue is whether the packets you are interested are even being carried down the wire to your sniffing port at all. Since you are using an unmanaged ethernet switch, they almost certainly are not. The switch is deciding to prune packets that don't belong to you from your port before your network device can hope to see them.
You need to connect to a specially configured mirroring or monitoring port on a managed ethernet switch in order to do this.
In the early says of ethernet hubs (not switches), sent packets are available to all hosts on the subnet, but hosts that are not the intended recipient are supposed to ignore.
Obviously, it didn't take long for subnets to saturate, so switch technology was born to solve the problems, and one of the things they did was make the network switch only route packets destined for that host to that port (plus andy broadcast traffic).
This complicates network monitoring/sniffing because you can only sniff packets that are for your host. This was considered a good thing from a security standpoint, but from a network monitoring standpoint not so good. To make network monitoring work, vendors implement a feature called port mirroring. This has to be configured on the network switch, and the below link should point you in the right direction for D-link products. You'll find it somewhere in your switches management software or web admin interface. If you don't find these features, then the functionality may not be provided in that specific device.
http://www.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/es_dgs_1210_como_monitorear_trafico_de_un_puerto_port_mirroring
First you need to switch your NIC to promiscuous mode. Let's assume that your NIC interface is eth0.
root@linux#ifconfig eth0 promesc
If you're on a switch network your sniffing is reduced to the collision domain connect to your switch port. You can run macof
to overwhelm the forwarding table of the switch.
root@linux#macof -i eth0
Then you can use wireshark
or tcpdump
to capture all traffic.
root@linux#tcpdump -i eth0 -w outputfile
If you're not on a switched​ network, just enable the promiscuous mode and use tcpdump
.