(CrossPost) Wireshark capturing ICMP traffic between two computers without any SPAN port configured

Here is my configuration.

Device A – Host (Windows 10) => This is connected to the internet via Wireless WiFi

Device B – Kali Linux running under VMWare under Bridge network configuration

Device C – Windows Server 2012 running under VMWare under Bridge network configuration

I am in the process of learning Wireshark. Below are the steps I performed.

a) I launch Wireshark on Device B (Kali Linux)

b) I then issue a ping from device A to device C. Wireshark shows an ICMP request from device A to device C and then also the ICMP response from C to A.

I thought Wireshark cannot capture traffic from other devices unless a SPAN port is configured that I have not done. Can anyone provide any reasoning behind this behavior?

View Reddit by palm_snowView Source

  1. Sounds like you’re using a desktop version of VMware… Haven’t used it in a while but I believe bridge mode/bridge packets are equivalent to promiscuous mode on a virtual switch. That mode allows for all packets to be seen and intercepted.

  2. I don’t think I’ve ever used VMware Workstation (which is what it sounds like you’re using) but a quick google found this http://techgenix.com/understanding-virtual-networking-vmware-workstation-9/ and this https://websistent.com/vmware-bridged-networking/

    I’m curious if you’re also seeing A – *internet* traffic from wireshark on B. Regardless, if your goal is to learn wireshark, this is likely something you can just ignore or if not, you can go read the docs on network bridging and VMware workstation.

