When I use tcpdump to capture packets, why do I see only packets to or from my machine, or why do I not see all the traffic Im expecting to see from or to the machine Im trying to monitor?
This might be because the interface on which you’re capturing is plugged into a switch; on a switched network, unicast traffic between two ports will not necessarily appear on other ports – only broadcast and multicast traffic will be sent to all ports. Note that even if your machine is plugged into a hub, the “hub” may be a switched hub, in which case you’re still on a switched network. Note also that on the Linksys Web site, they say that their auto-sensing hubs “broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only”, which would indicate that if you sniff on a 10Mb port, you will not see traffic coming sent to a 100Mb port, and vice versa. This problem has also been reported for Netgear dual-speed hubs, and may exist for other “auto-sensing” or “dual-speed” hubs. Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your analyzer into that single po
