On Wed, Feb 13, 2002 at 08:14:35AM +0100, Jens Hektor wrote:
> Maybe the "open" call is done in a different way as windump does ?
> Sorry. I did *not* use the force and read the source ;-)
The open call in Ethereal 0.9.1 is
pch = pcap_open_live(cfile.iface, cfile.snap, promisc_mode,
CAP_READ_TIMEOUT, open_err_str);
where:
"cfile.iface" is a pointer that points to the string supplied in
the combo box;
"cfile.snap" is the number specified in the "Capture length"
field;
"promisc_mode" is 1 if "Capture packets in promiscuous mode" is
specified and 0 otherwise;
CAP_READ_TIMEOUT is 250 (250 ms, i.e. 1/4 second);
"open_err_str" is a buffer into which an error message
will be put if the open fails.
The open call in WinPcap 3.5.2 is:
pd = pcap_open_live(device, snaplen, !pflag, 1000, ebuf);
where:
"device" is a pointer that points to the string supplied on the
command line with the "-i" flag, or to the device name if a
number was supplied with "-i", or to the default device if no
"-i" was specified;
"snaplen" is the number specified with the "-s" flag, or 68 (or
96, depending on whether WinPcap 3.5.2 is built with INET6
defined or not) if no "-s" flag was specified;
"pflag" is 1 if the "-p" flag was specified and 0 otherwise, so
"!pflag" is 1 if the "-p" flag wasn't specified and 0 if it was;
"ebuf" is a buffer into which an error message will be put if
the open fails.
The only differences there are
1) the default snapshot length is 65535, not 68 or 96, in
Ethereal;
2) the timeout is 1/4 second, rather than 1 second;
(unless WinPcap is built as a Unicode application and passes a Unicode
string, rather than an ASCII string, to "pcap_open_live()", but it is
*not*, as I remember, built as a Unicode application).
> Do I have to be "root" (aka Administrator) on my XP Box or is it enough
> to be a user with administrative rights to run ethereal ?
The rules are the same for Ethereal and for WinPcap.
> Or could it be another process blocking the device ?
If it were, it'd block both Ethereal and WinPcap.
> The system message however is "file not found" (in German:
> "das System kann die angegebene Datei nicht finden").
Is the full message
The capture session could not be initiated (das System kann die
angegebene Datei nicht finden).
Please check that you have the proper interface specified.
Note that the driver Ethereal uses for packet capture on Windows
doesn't support capturing on PPP/WAN interfaces in Windows NT/2000.
(note that "Windows NT/2000" really means "Windows NT 4.0 and later",
which includes not only NT 5.0, which Microsoft's marketoons insist on
calling "Windows 2000", but also NT 5.1, which Microsoft's marketoons
insist on calling "Windows XP" if it's a desktop version and "Windows
.NET Server" if it's a server version)?