What is a cache flush, and how do you explain this TCPdump pattern?
Andrew Henderson 
I ran TCPdump a few times on my home network and found a lot of packets that were marked (Cache Flush), seemingly originating with my sister's laptop. I can't see any HTTP or HTTPS packets during the time periods that I was running TCPdump, which is odd, because I'm pretty sure people were browsing the web at the time, and I also only saw the cache flushes originating from her computer, not from anyone else's. What do these cache flushes mean? Are they remnants from an HTTP or HTTPS session? And why am I not seeing any HTTP/HTTPS packets in TCPdump, despite the fact that other people in the house were online? Is it simply a matter of me not running TCPdump while anyone was loading a web page? Or is it something else? There seems to still be a lot I don't understand about networking.
1 Answer
Your question is incomplete – many tcpdump markings are protocol-specific, so just saying "packets marked (Cache Flush)" means nothing at all; you need to post the full packet information.
In particular, "(Cache Flush)" is a parameter of mDNS packets, which are used for service discovery within the LAN. Computers running mDNS (usually OS X, but also some Linux systems, or Windows with iTunes) periodically send packets saying "my name is ZenComputer.local" (as well as additional information about offered services), and the "cache flush" bit basically means "forget all old information about this name and cache the new information".
(On that note, you might be better off using tshark or Wireshark – they usually generate more consistent and less confusing output.)
You are not seeing HTTP/HTTPS packets because you don't have any HTTP or HTTPS connections active. In other words, you're only seeing broadcasts and your own traffic.
If you use Wi-Fi, your computer's Wi-Fi adapter automatically discards all packets with the "wrong" address (partly to not waste power by bothering the OS about garbage). It might be possible to see them using the 'promisc' or 'monitor' modes (see Capture/WLAN in Wireshark's website), but often that's only supported on Linux.
If you have a wired connection, you won't receive these packets at all. Practically all Ethernet networks these days are switched – each Ethernet port remembers the MAC addresses of computers connected to it, and only sends packets to the right port. (While 15 years ago Ethernet hubs would send everything everywhere and you could see the data by enabling promiscuous mode, that's not true anymore.)
3
