Seeing traffic destined for other people's servers in wireshark

Posted by user350325 on Server Fault See other posts from Server Fault or by user350325
Published on 2012-10-19T17:11:25Z Indexed on 2012/10/19 23:06 UTC
Read the original article Hit count: 218

Filed under:
|

I rent a dedicated server from a hosting provider. I ran wireshark on my server so that I could see incoming HTTP traffic that was destined to my server.

Once I ran wireshark and filtered for HTTP I noticed a load of traffic, but most of it was not for stuff that was hosted on my server and had a destination IP address that was not mine, there were various source IP addresses. My immediate reaction was to think that somebody was tunnelling their HTTP traffic through my server somehow.

However when I looked closer I noticed that all of this traffic was going to hosts on the same subnet and all of these IP addresses belonged to the same hosting provider that I was using.

So it appears that wireshark was intercepting traffic destined for other customers who's servers are attached to the same part of the network as mine.

Now I always assumed that on a switch based network that this should not happen as the switch will only send data to the required host and not to every box attached.

I assume in this case that other customers would also be able to see data going to my server. As well as potential privacy concerns, this would surely make ARP poising easy and allow others to steal IP addresses (and therefor domains and websites)?

It would seem odd that a network provider would configure the network in such a way. Is there a more rational explanation here?

© Server Fault or respective owner

Related posts about switch

Related posts about wireshark