Ethereal-users: Re: [Ethereal-users] Does Ethereal for NT with WinPcap does support PROMISCOUS m

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sun, 15 Oct 2000 00:31:36 -0700
On Sat, Oct 14, 2000 at 05:13:54PM +0000, Vlad-Andrei Dorobantu wrote:
> I downloaded the last Ethereal for NT and installed on my NT 4.0 (SP6) 
> computer with the WinPcap packet driver. It's the best and fastest NT 
> analyzer, better that "Analyzer" tool.
> 
> But the problem is that I monitor only the packets intended for my computer 
> MAC address (except BROADCAST and MULTICAST packets). I don't know if there 
> are active hubs (it could be a possibility). 3COM are telling (on the web 
> site) that my NIC should support the PROMISCOUS mode.
> 
> I believe that on NT, the PROMISCOUS mode couldn't be set as easy as in UNIX 
> with the "ifconfig eth0 promisc"). Meanwhile, I found some basic analysing 
> programs that turn on the PROMISCOUS mode on Windows. I will send you these 
> programs.

I.e., those other programs capture unicast traffic sent to hosts other
than the host it's running on, on the same interface that Ethereal -
and, presumably, Analyzer, if Analyzer is the program from the
Politecnico di Torino, as it uses the same WinPcap driver that Ethereal
does - sees unicast traffic only when sent to or from the host on which
Ethereal is running?

> * Does Ethereal for NT support PROMISCOUS mode?

It does so if WinPcap does, as it relies on WinPcap for capture
functions, and if the driver for the network card supports it.

> * Are there a way to control if the NIC is in PROMISCOUS mode (3COM provides 
> no GUI configuration panel for the NIC)

Ethereal attempts to put the network interface into promiscuous mode;
typically, promiscuous mode isn't supposed to be a mode you set with a
command or GUI configuration item (either on UNIX or on Windows), it's
supposed to be a mode turned on by programs that are trying to see
traffic for hosts other than the one on which the program is running.

If Ethereal isn't doing so, then either

	1) there's a bug in the packet driver library, or the packet
	   driver, that come with WinPcap;

	2) there's something wrong with the driver for your network
	   interface.

I don't know what the cause of the problem might be; you'd probably have
to ask the people from the Politecnico di Torino for help there (they
subscribe to "ethereal-dev" and "ethereal-users", so they may reply
here; if not, you might want to, as per the page at

	http://netgroup-serv.polito.it/winpcap/

send mail to "winpcap@xxxxxxxxxxxxxxxxxxxxxxx").