Ethereal-users: Re: [Ethereal-users] Windows 2000 and promiscuous mode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 2 Oct 2001 12:23:30 -0700 (PDT)
> I'd like to be able to enable promiscuous mode on the Windows 2000
> version of Etherreal.
> 
> I have all the approrpiate boxes checked, but I still only see traffic
> to and from my local machine.

	http://www.ethereal.com/faq.html#q3.6

"Q 3.6: I can't see any TCP packets other than packets to and from my
machine, even though another sniffer on the network sees those packets.

A: This might be because the network interface on which you're capturing
doesn't support "promiscuous" mode, or because your OS can't put the
interface into promiscuous mode.  Normally, network interfaces supply to
the host only:

          packets sent to one of that host's link-layer addresses; 

          broadcast packets; 

          multicast packets sent to a multicast address that the host
	  has configured the interface to accept. 

Most network interfaces can also be put in "promiscuous" mode, in which
they supply to the host all network packets they see.  However, some
network interfaces don't support promiscuous mode, and some OSes might
not allow interfaces to be put into promiscuous mode.

If the interface is not running in promiscuous mode, it won't see any
traffic that isn't intended to be seen by your machine.  It will see
broadcast and perhaps some multicast packets; TCP doesn't use broadcast
or multicast, so you will only see your own TCP traffic, but UDP
services may use broadcast or multicast so you'll see some UDP traffic -
however, this is not a problem with TCP traffic, it's a problem with
unicast traffic, as you also won't see all UDP traffic between other
machines.

This might also be because the interface on which you're capturing is
plugged into a switch; on a switched network, unicast traffic between
two ports will not necessarily appear on other ports.  Some switches
have the ability to replicate all traffic on all ports to a single port
so that you can plug your sniffer into that single port to sniff all
traffic."

Is your machine plugged into a switch or switching hub?

If so, is the port into which it's plugged set to "mirror" stuff sent to
the other ports?  (Some switches, I think, let you do this; you'd have
to check the documentation for the switch to see how to do it.)

If it's plugged into a switch, and the port into which it's plugged
isn't set to mirror traffic, that could be the problem.

If it's not plugged into a switch, or the port isn't set to mirror
traffic, try running WinDump:

	http://netgroup-serv.polito.it/windump/

(which defaults to promiscuous mode).

if that doesn't work either, it's probably a WinPcap problem or a driver
problem, so you should send mail to

	winpcap@xxxxxxxxxxxxxxxxxxxxxxx

> If not, I'll just run it from FreeBSD or Linux

On the same machine?

If you have gotten it to run in promiscuous mode on the same machine,
when the machine is running FreeBSD or Linux, then it's almost certainly
either a WinPcap or a driver problem.