Articles

tcpdump Promiscuous Mode: Capture All Frames on Segment (2026)

April 6, 2026 4 min read

Promiscuous mode is how network interfaces are forced to see traffic not meant for them, but it’s not the magical "see everything" button you might think.

Let’s watch tcpdump in action. Imagine you have two machines, client and server, connected by a simple switch.

client (192.168.1.10) is pinging server (192.168.1.20).

On client, you’d normally run:

tcpdump -i eth0 host 192.168.1.20

This shows you only the traffic addressed to client or originating from client. You’d see the pings going out and the replies coming back.

Now, let’s say you want to see all traffic passing through the switch, not just what’s for client. You’d think enabling promiscuous mode on client’s interface (eth0) would do it. You’d run:

sudo ip link set eth0 promisc on
tcpdump -i eth0 -p host 192.168.1.20

The -p flag tells tcpdump to not put the interface into promiscuous mode, because we’ve already done it with ip link.

Here’s the surprise: even with promiscuous mode enabled on client’s NIC, you still won’t see the traffic originating from server and destined for some other machine on the segment. You’ll only see traffic destined for client or originating from client, regardless of whether the NIC is in promiscuous mode or not.

Promiscuous mode only makes the NIC accept frames that are addressed to its own MAC address, broadcast frames, or multicast frames that the NIC is subscribed to. It doesn’t make it a wiretap for the entire network segment.

So, what’s the point?

The point is that on a hub (an old, dumb device), all traffic was broadcast to every port. A NIC in promiscuous mode would see everything. On a switch, however, traffic is directed only to the port where the destination MAC address is known to reside. Promiscuous mode on a single host connected to a switch only lets that host see traffic intended for itself, plus broadcasts and multicasts. It doesn’t inherently allow you to see traffic between two other devices on the same switch.

How to actually capture traffic not meant for your machine on a switched network:

  1. Port Mirroring (SPAN port): This is the enterprise-grade solution. You configure the switch itself to copy all traffic from one or more ports (or even VLANs) to a designated "SPAN" port. You then connect your tcpdump machine to this SPAN port.

    • Configuration (Cisco example):
      configure terminal
monitor session 1 source interface GigabitEthernet1/0/1 rx  // Mirror incoming traffic from Gi1/0/1
monitor session 1 destination interface GigabitEthernet1/0/24 // Send mirrored traffic to Gi1/0/24
end
      On the machine connected to GigabitEthernet1/0/24, you’d run tcpdump -i eth0.

  2. Network Tap: A physical device inserted inline between two network devices (e.g., between the switch and a router). It passively copies all traffic passing through it to a separate monitoring port. This is hardware-based and doesn’t rely on switch configuration.

  3. ARP Spoofing/Poisoning (Use with extreme caution, and only on networks you own and manage): This is an active attack technique where you trick other devices on the network into sending their traffic through your machine. You send forged ARP messages to the gateway and the target machine, making them think your MAC address is the gateway’s MAC address, and vice-versa.

    • Tool: arpspoof (part of the dsniff suite).
    • Example: To capture traffic between client (192.168.1.10) and gateway (192.168.1.1) on your machine (192.168.1.5):
      # Enable IP forwarding on your machine
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Start arpspoof to poison client and gateway
sudo arpspoof -i eth0 -t 192.168.1.10 192.168.1.1
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.10

# In another terminal, run tcpdump on traffic routed through your machine
sudo tcpdump -i eth0 -n -s0 host 192.168.1.10 or host 192.168.1.1
    • Why it works: You’ve inserted yourself into the communication path. Traffic destined for the gateway from client is sent to your MAC, and you then forward it to the real gateway. Traffic from the gateway to client is sent to your MAC, and you forward it. tcpdump sees it all as it passes through your machine. Remember to disable IP forwarding and stop arpspoof when done.

  4. Managed Switch Features (e.g., RSPAN, ERSPAN): More advanced versions of port mirroring that can send mirrored traffic over a Layer 3 network or even encapsulate it in GRE tunnels.

The core misconception: Promiscuous mode on a NIC is about what the NIC accepts and passes up to the OS, not about what the network infrastructure sends to the NIC. On a switched network, the switch is the gatekeeper, and it’s designed not to send traffic promiscuously.

The next thing you’ll run into is understanding how to filter the massive amount of data you capture, even with port mirroring.

More Deep Dives in Tcpdump

Want structured learning?

Take the full Tcpdump course →