On Fri, Apr 19, 2002 at 04:30:21PM -0500, Sammy Ballew wrote:
> I see the same behavior when promiscuous is enabled
> or not. When I disable promiscuous I still see traffic
> that indicates something else is setting the interface
> to promiscuous.
What traffic do you see of that sort?
> With no filters I do see outgoing ARP packets but no TCP.
Outgoing ARP packets are probably broadcast packets; what's the
destination Ethernet address of the ARP packets you see?
ff:ff:ff:ff:ff:ff? If so, they're broadcast.
TCP packets aren't broadcast packets.
> Does it make
> sense the "underlying networking mechanism" to which you refer would
> capture ARP but not TCP?
It sort of makes sense that the underlying networking mechanism would
capture broadcast packets but not unicast packets, which would make it
look as if it's capturing ARP but not TCP (it might not capture unicast
ARPs, such as ARP *replies*, and TCP packets aren't the only packets it
wouldn't capture).
Ethernet adapters generally do not receive packets that they transmit;
in order to allow broadcast packets to be seen by *all* machines on a
network, including the machine sending the packet, Ethernet drivers
often "wrap around" broadcast packets that they send, by feeding them to
their input routine, as if they arrived on the network interface.
If the driver doesn't wrap around *all* outgoing packets, even unicast
packets, when put into promiscuous mode, then WinPcap can't see outgoing
packets even in promiscuous mode.
The driver writer may not have understood that some applications (such
as those using WinPcap) might put their connection to the driver into
promiscuous mode, with the intent of seeing *all* packets, and therefore
that the driver should wrap all outgoing packets in promiscuous mode,
not just broadcast packets.