Ethereal-users: Re: [Ethereal-users] Can't see outgonig packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 6 Jan 2002 16:05:49 -0800
On Fri, Jan 04, 2002 at 10:00:19AM +0100, Hermann Huebler wrote:
> I'm fairly new to ethereal and so i guess I'm doing somehting wrong.... I
> have installed ethereal using ethereal-setup-0.8.20.exe on windows 2000.
> When I start capturing data on my PCMCIA token ring interface I see only
> inbound traffic but no outbound traffic!

Does the driver for that token ring card support promiscuous mode? 
(Even if the card supports it, the driver might not.)

If not, you might not be able to see outgoing traffic; NDIS drivers
(that's what modern Windows network drivers are) might not supply
outgoing packets to a "protocol" (WinPcap's driver is a "protocol" in
this sense) unless the connection to that protocol is in promiscuous
mode - and if the driver doesn't support promiscuous mode, it may even
ignore WinPcap's request to put it into promiscuous mode, so that it
never supplies outgoing packets.

I cannot tell you whether your card's driver supports promiscuous mode;
you'd have to ask whoever supplied the driver (Microsoft, the card
vendor, etc.).  Ask them what happens if a protocol sets the
OID_GEN_CURRENT_PACKET_FILTER OID to NDIS_PACKET_TYPE_PROMISCUOUS; in
particular, ask them whether it supplies outgoing packets to the
protocol.  If the answer is "no", then you may not be able to capture
outgoing traffic on your token-ring card using Ethereal (or any other
application that uses WinPcap, e.g. WinDump or Analyzer) under Windows,
and, if so, there's probably nothing we (the Ethereal developers) or the
WinPcap developers can do about it.

(Other sniffers may be able to do it by supplying their own drivers for
the token-ring card; unfortunately, I suspect few, if any, of us have
the time or expertise to do that.)