In the spirit of what has been written here before, here’s a little magician’s trick to impress your 6 year old with - I just learned about this today:
Assume an off-the-shelf setup in which your, say, FreeRTOS+TCP based unit communicates against a host PC, both on your desk. It works as expected, but in order to trace a routing problem, you modify the subnet mask on your FreeRTOS+TCP board such that the outbound packets go through the default gateway (an active third machine not important for the discussion here). Since this is a routing problem, some node in the path between the default gateway and your host PC drops the packets from your board, so the communication won’t work.
So you open wireshark to at least try to figure out what’s going on, and loandbehold, KAMBAZAM! … the communication works fine. Just by opening wireshark. Close wireshark and the disturbance is back. Try this at home if you want to!
After some headscratching, I found a completly logical and crystal clear explanation. WIresharks’s PCAP driver will (MUST) put the local PHY into promiscuous mode, meaning that the unit’s MAC address filter will be disabled and ALL packets on the net will reach the app layer - that’s trivially necessary for wireshark to work, right?
Yet in return that means that not only puts this a heavy performance burden onto your host PC, as Hein pointed out earlier, BUT it also means that the local TCP stack will now receive and process ALL IP packets seen on the net.
For most packets, that means that the additional IP address filter in the network stack will drop the packets whose target IP address does not match any locally allocated IP address. However, the routed packets to your host PC will still contain the “correct” target IP address (in fact they’ll look identical to the packets directed to the unit directly), but were initially directed to a different MAC address - the one of the default gateway! Since the MAC address is stripped anyways after the packet is passed up the MAC layer, your IP stack can’t tell the difference between the routed and non-routed packets and will treat them exactly as if they had gone directly to the host.
Phew! Lesson reconfirmed: Do NOT sniff the traffic on a machine that is involved in the communication you want to trace. Heisenberg effect.