I have 3 computers on the same sub-net. Computer A and B are communicating with each other (ping, telnet, etc.). I'd like to see the packets between A and B on computer C. Is it possible to do this with tcpdump? I've read the manual and Googled this to no end but I can't make it work. tcpdump running on C does not see traffic between A and B. I know tcpdump is working because if either A or B pings C, tcpdump shows the network traffic. I've also manually put the interface on promiscuous mode (ifconfig ethx promisc) but still no output.
Comp-A, IP: 192.168.0.100
ping Comp-B ==> Comp-A gets reply from Comp-BComp-B, IP: 192.168.0.101
tcpdump -Xi eth1 ==> Sees ping packets from Comp-AComp-C, IP: 192.168.0.102
tcpdump -Xi eth1 ==> No output, just the generic tcpdump initial message
Best Answer
The reason you're not seeing them is because you're on a switched network. Your network switch only forwards packets to interfaces to which they are destined. This is determined by the link-layer address listed in the packet. Your switch knows that computers A, B & C are on ports 1, 2 & 3 respectively. When a packet is received from computer A on port 1 destined for computer B the packet is only transmitted to port 2.
If you have a manageable switch you can configure what's sometimes called "port mirroring" or a SPAN port on port 3, which would then receive a copy of all packets traversing the switch.
If you don't have a managed switch there are other less...shall we say, conventional methods (e.g., arp spoofing & packet forwarding) to trick the rest of the network.