On Thu, Jul 05, 2001 at 12:43:07PM -0700, Anthony Abby wrote:
> I can see lots of ARP, BROWSER, and DNS packets being
> captured off the line,
With the exception of the DNS packets, those tend to be broadcast
packets, so this sounds like a promiscuous-mode or switched-network
issue.
> but I do not see any packets
> being capture related to http/smtp/pop
Those are TCP-based protocols, so those packets aren't broadcast
packets.
> When I started the packet sniffing I had selected to
> capture in promiscuous mode and didn't receive an
> error, although I'm not sure I would or not if my NIC
> will not support promiscuous mode.
1) It's conceivable that the NIC doesn't support promiscuous mode, or
that the driver doesn't enable it, but if it's an Ethernet interface,
that's *probably* not the problem.
2) Due to a bug in Ethereal 0.8.18, if, in that version, you do an
"Update list of packets in real time" capture, it won't run in
promiscuous mode, even if you've selected it, unless Ethereal is
explicitly configured to do promiscuous captures by default.
To configure it to do promiscuous captures by default, do a
promiscuous-mode capture, stop the capture, select the "Preferences"
item under the "Edit" menu, and click "Save", and then exit Ethereal.
3) Even if promiscuous mode *is* enabled, if you're on a switched
network (note that some "hubs" are, in fact, switches), a machine
running on one port probably won't see any unicast traffic other than
traffic to or from that machine.
To get around that, you'd have to set up the port into which the
machine running Ethereal (or any *other* packet analyzer; that
problem isn't specific to Ethereal) is plugged so that traffic on
other ports is "mirrored" to that port. Not all switches necessarily
support that type of "port mirroring", and the way it's done is
dependent on the switch - I don't know how to configure any
particular switches to do that, you'd have to check the documentation
for the switch.