Packet capture in the "Star" topology for the local network
When using this topology, all the data that comes to the device linking the network devices in the Star is sent between all the network devices in the star and if the network device sees (comparison by MAC address or IP address) if the frame / packet is not for it, it discards this packet.
So, does this drop happen at the microcontroller/processor level of the network adapter, or higher, at the OS level?
I decided experiment with this.
Wireshark has the option "Capture all packets in promiscuous mode", it allows you to receive all packets that are addressed not only to my network adapter.
It turns out that the drop is at the OS level?
But, I ping the server on the second computer from the Star, and Wireshark on mine does not see responses from a ping from that computer, when "Capture all packets in promiscuous mode" is enabled.
Can the protection on the router go?
2 answers
You have an error in the methodology. The "star" topology and the network hub (aka "hub", the device is now almost a museum) are not synonymous. The hub sends traffic to all ports. You have a hundred pounds worth of switch. He first looks at which port he has such a mac, and then only on this port and sends the package. The switch can be made to work as a hub, this is called mac address table overflow. If the switch is yours, you can try it. If not your - do not, the admins will find and knock. The switch still can be the traffic mirroring mode. Again, if your switch is able to do this, you can try it. You can make your Wireshark PC the default gateway for the rest of the stations. Then they will send you all their non-local traffic themselves, voluntarily and with a song. And you will see it.
Network packets are transmitted by the active equipment only to the port on which the MAC address or the IP address of the receiver is registered, if this address is known to it (available in the switching table). If the address is unknown (self-learning mode), as well as when self-learning mode is disabled and when the switching table is full , the packet is duplicated to all ports. And we are not yet considering the restrictions associated with VLANs and other bells and whistles...
To ensure that such packages do not If they are dropped by the active network equipment and broadcast to a port where the destination address is not registered, you must either disable the self-learning function (effectively turning the switch into a hub), or enable port mirroring (copying packets passing through one port to another port, regardless of the information in the switching table).
In addition, packets that are not intended for this workstation (transit) are dropped already on the workstation (this function it can be executed both by the network card itself and by the driver serving it). To avoid this, you need to switch the interface to the mode of receiving transit packets (promiscuous mode).