Before you can sniff packets on a network, you need a network interface card (NIC) that supports a promiscuous mode driver. Promiscuous mode is what allows a NIC to view all packets crossing the wire.
As you learned in Chapter 1, with network broadcast traffic, it’s common for clients to receive packets that are not actually destined for them. ARP, which is used to determine which MAC address corresponds to a particular IP address, is a crucial fixture on any network, and it’s a great example of traffic sent to hosts other than the intended recipient. To find the matching MAC address, ARP sends a broadcast packet to every device on its broadcast domain in hopes that the correct client will respond.
A broadcast domain (the network segment where any computer can directly transmit to another computer without going through a router) can consist of several computers, but only one client on that domain should be interested in the ARP broadcast packet that is transmitted. It would be terribly inefficient for every computer on the network to actually process the ARP broadcast packet. Instead, the NICs of the devices on the network for whom the packet is not destined recognize that the packet is of no use to them, and the packet is discarded rather than being passed to the CPU for processing.
The discarding of packets not destined for the receiving host improves processing efficiency, but it’s not so great for packet analysts. As analysts, we typically want to see every packet sent across the wire so that we don’t risk missing some crucial piece of information.
We can ensure we capture all of the traffic by using the NIC’s promiscuous mode. When operating in promiscuous mode, the NIC passes every packet it sees to the host’s processor, regardless of addressing. Once the packet makes it to the CPU, it can then be grabbed by a packet-sniffing application for analysis.
For the purposes of this book, you must have a NIC and an operating system that support the use of promiscuous mode. The only time you do not need to sniff in promiscuous mode is when you want to see only the traffic sent directly to the MAC address of the interface from which you are sniffing
.NOTE Most operating systems (including Windows) will not let you use a NIC in promiscuous mode unless you have elevated user privileges. If you cannot legally obtain these privileges on a system, chances are that you should not be performing any type of packet sniffing on that particular network.