I just read about promiscuous mode can be turned on of a internet interface? So I made a small test environment, I opened 3 droplet server on digitalocean, with private networking on. so I end up with 3 server within the 10.130.x.x local network.
server1: 10.130.247.92
server2: 10.130.237.218
server3: 10.130.237.219
in server1, I'm using tshark to capture packets from eth1(private network interface) by
tshark -i eth1
And in server2, I constantly ping server1
ping 10.130.247.92
now server1 capture all the ICMP packets from server2, in the meantime, I turn on promiscuous mode of eth1 in server3
ifconfig eth1 promisc
and start to capture eth1, but I couldn't capture the ICMP packet to server1.
Why is that? I'm guessing in the network is switch based, instead of hub based, so server3 can't capture packets from server2 to sever1, even they are all in the same local network and promiscuous mode is on
Your guess that switch is the culprit is correct. Promiscuous mode means that Ethernet controller would accept packets with any destination MAC address. It does not guarantee that such packet will be sent to that controller.
Even though those hosts are on the same subnet, these days the hosts on that subnet are likely to be connected to an ethernet switch. The switch monitors incoming packets from all ports and learns behind which port it's seen particular MAC addresses. So, if box A is connected to port 0, box B, to port 1 and box C to port 2, and assuming that each host already sent at least one packet so the switch knows who's where, if A sends a packet to B, the switch will send the packet only to port 1. If you've enabled promiscuous mode on C, you will not see the packet sent from A to B.
Here's somewhat more detailed explanation how MAC learning works.