[Guy Harris <gharris@xxxxxxxxx>]

On Sun, Oct 28, 2001 at 10:21:10AM -0500, Renato Punu wrote:
> I have installed winPcap first as well as the etheral ver 0.8.20. Whe I run
> etheral and hit capture/start, I can only see the nic card interface on the
> INTERFACE field on my machine. Ex. EL90x, USB100TX.
> 
> Questions:
> 
> 1. If I want to capture the live packets coming in/out on  Server#1 or
> router#1, can I do it on my machine(Win98).

Yes, *IF* your machine is on the same network as server#1 or router#1. 
(You can see some packets coming from those machines if you're on a
different network - but the only packets you see will be those that
happen to be routed to or through the network your machine is on.)

> How can I define/enter the Server#1 or router# interface on the
> INTERFACE field.

You find out which network the machine is on, and specify whichever
interface on your machine is on the same network.

I'm not very familiar with Windows OT (95, 98, ME), but, if I remember
correctly, it has an "ipconfig" command similar to Windows NT (NT 3.x,
NT 4.0, W2K, WXP); try typing "ipconfig /all" in a MS-DOS console window
- it might list all the interfaces on your machine, complete with the
numbers that I think *might* be what WinPcap uses as names for
interfaces.

> 2. Is the ethereal program need to be installed/loaded  on each machine
> that you want to capture live packets. The reason is I can only see the
> packets coming in/out on my WIn98 machine when I start capture

	http://www.ethereal.com/faq.html#q3.4

"Q 3.4: I can't see any TCP packets other than packets to and from my
machine, even though another sniffer on the network sees those packets.

A: This might be because the network interface on which you're capturing
doesn't support "promiscuous" mode, or because your OS can't put the
interface into promiscuous mode.  Normally, network interfaces supply to
the host only:

	packets sent to one of that host's link-layer addresses; 
	broadcast packets; 
	multicast packets sent to a multicast address that the host has
	configured the interface to accept. 

Most network interfaces can also be put in "promiscuous" mode, in which
they supply to the host all network packets they see.  However, some
network interfaces don't support promiscuous mode, and some OSes might
not allow interfaces to be put into promiscuous mode.

If the interface is not running in promiscuous mode, it won't see any
traffic that isn't intended to be seen by your machine.  It will see
broadcast and perhaps some multicast packets; TCP doesn't use broadcast
or multicast, so you will only see your own TCP traffic, but UDP
services may use broadcast or multicast so you'll see some UDP traffic -
however, this is not a problem with TCP traffic, it's a problem with
unicast traffic, as you also won't see all UDP traffic between other
machines.

This might also be because the interface on which you're capturing is
plugged into a switch; on a switched network, unicast traffic between
two ports will not necessarily appear on other ports.  Some switches
have the ability to replicate all traffic on all ports to a single port
so that you can plug your sniffer into that single port to sniff all
traffic."

(It says "TCP packets" in the FAQ because that's how people tend to ask
the question; it's not really an issue of TCP vs. UDP, it's an issue of
unicast vs. multicast, but they see UDP packets but not TCP packets and
conclude, incorrectly, that it's a TCP vs. UDP issue, because they *do*
see some UDP packets, even though they're not seeing all the UDP packets
on the network.)

I'd suggest checking first to make sure you're not on a switched network
(if you're plugged into a "hub", make sure it's not a "switching hub",
which is really a switch) and, if you're not:

	check with the vendor of your networking card to see if it
	supports promiscuous mode;

	if it does, send a bug report to
	winpcap@xxxxxxxxxxxxxxxxxxxxxxx, with full details about the
	type of networking card, etc., as there might be some problem
	with WinPcap that keeps it from turning promiscuous mode on.

> 3. How can I configure ethereal on my WIn98 so that when I run capture, I
> can see the capture packets in real time, not the total % packets, etc.
> Right now I can only see the detailed info if I stop capturing the packets.

In the "Capture Preferences" dialog box, select "Update list of packets
in real time".

You might also want to select "Automatic scrolling in live capture",
which will make the topmost window, with the list of packets, scroll so
that the packets that have most recently arrived are displayed.