Wireshark和混杂模式

“混杂的模式”（您必须喜欢该命名法）是一种网络接口模式，NIC报告其所看到的每个数据包。如果您使用WireShark Packet Sniffer并在Capture Options对话框中将其设置为“混杂模式”，您可能会合理地认为您将看到网络段的所有流量。这不一定是这种情况，可能有几个原因。因此，在使用此工具之前绘制Windows网络上的流量的结论，值得查看您是否真的捕获您认为正在捕获的东西。如果您连接到交换机而不是集线器，则广播流量和多播流量将转到所有端口，但单播流量不会。检查您的交换机以查看您是否可以配置您使用的端口，以便Wireshark将发送到它的所有流量（“监视”模式），和/或从一个端口到另一个端口的“镜像”流量。（这是那些更昂贵的受管交换机的好处之一。）Wireshark SwitchReference页面在这里有所帮助;它是在http://wiki.wireshark.org/switch reference。您可能会认为您可以恢复为使用旧式集线器，因为集线器不会将网络流量分段为交换机执行;而这种“封闭局”方法可能会起作用，但即使是集线器也不一定通过所有流量。 For example, on some multispeed hubs, listening on a 100 Mbps port may not capture traffic on ports operating at 10 Mbps. Separate from any hub and switch issues, some network interfaces do not allow themselves to be thrown into promiscuous mode. So if you think your network plumbing should permit promiscuous mode, you may want to check the NIC manufacturer’s website to see if there’s an issue there. Sometimes there’s a setting in the driver properties page in Device Manager that will allow you to manually set promiscuous mode if Wireshark is unsuccessful in doing so automatically. Some network interfaces even have a driver setting that permits an administrator to *permanently* disable promiscuous mode on that adapter! So before you make any grand pronouncements about the results of your Wireshark research, make sure you inform yourself about the ways in which the traffic that you’re capturing may not be showing the whole picture. This tool is easy to use for capturing traffic in and out of one specific host, but beyond that, there are a lot of variables to consider!