Ethereal-users: Re: [Ethereal-users] Re: ethereal on Win XP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 12 Feb 2002 23:51:46 -0800
On Wed, Feb 13, 2002 at 08:14:35AM +0100, Jens Hektor wrote:
> Maybe the "open" call is done in a different way as windump does ? 
> Sorry. I did *not* use the force and read the source ;-)

The open call in Ethereal 0.9.1 is

	pch = pcap_open_live(cfile.iface, cfile.snap, promisc_mode,
            CAP_READ_TIMEOUT, open_err_str);

where:

	"cfile.iface" is a pointer that points to the string supplied in
	the combo box;

	"cfile.snap" is the number specified in the "Capture length"
	field;

	"promisc_mode" is 1 if "Capture packets in promiscuous mode" is
	specified and 0 otherwise;

	CAP_READ_TIMEOUT is 250 (250 ms, i.e. 1/4 second);

	"open_err_str" is a buffer into which an error message
	will be put if the open fails.

The open call in WinPcap 3.5.2 is:

	pd = pcap_open_live(device, snaplen, !pflag, 1000, ebuf);

where:

	"device" is a pointer that points to the string supplied on the
	command line with the "-i" flag, or to the device name if a
	number was supplied with "-i", or to the default device if no
	"-i" was specified;

	"snaplen" is the number specified with the "-s" flag, or 68 (or
	96, depending on whether WinPcap 3.5.2 is built with INET6
	defined or not) if no "-s" flag was specified;

	"pflag" is 1 if the "-p" flag was specified and 0 otherwise, so
	"!pflag" is 1 if the "-p" flag wasn't specified and 0 if it was;

	"ebuf" is a buffer into which an error message will be put if
	the open fails.

The only differences there are

	1) the default snapshot length is 65535, not 68 or 96, in
	   Ethereal;

	2) the timeout is 1/4 second, rather than 1 second;

(unless WinPcap is built as a Unicode application and passes a Unicode
string, rather than an ASCII string, to "pcap_open_live()", but it is
*not*, as I remember, built as a Unicode application).

> Do I have to be "root" (aka Administrator) on my XP Box or is it enough
> to be a user with administrative rights to run ethereal ?

The rules are the same for Ethereal and for WinPcap.

> Or could it be another process blocking the device ?

If it were, it'd block both Ethereal and WinPcap.

> The system message however is "file not found" (in German:
> "das System kann die angegebene Datei nicht finden").

Is the full message

	The capture session could not be initiated (das System kann die
	    angegebene Datei nicht finden).
	Please check that you have the proper interface specified.

	Note that the driver Ethereal uses for packet capture on Windows
	doesn't support capturing on PPP/WAN interfaces in Windows NT/2000.

(note that "Windows NT/2000" really means "Windows NT 4.0 and later",
which includes not only NT 5.0, which Microsoft's marketoons insist on
calling "Windows 2000", but also NT 5.1, which Microsoft's marketoons
insist on calling "Windows XP" if it's a desktop version and "Windows
.NET Server" if it's a server version)?