[Guy Harris <gharris@xxxxxxxxx>]

On Tue, Aug 20, 2002 at 10:28:46PM -0400, Steve Currie wrote:
> When I capture traffic I see only traffic destined for my NIC.  The outbound
> requests do not appear.  I have no filters enabled.  I am using ethereal
> 0.9.5 on Win2K with winPcap 2.3 (latest non-beta version).  I observed the
> same behavior with 0.9.4 and 2.1.  I observed the same behavior on two
> different PCs with different NICs, media, etc.  The NICs were Compaq PCMCIA
> token ring (not sure of exact model), IBM turbo 16/4 PCMCIA token ring,

Some Token Ring adapters might not support promiscuous mode at all,
meaning they cannot see traffic not destined for them.

Some Token Ring adapters that support promiscuous mode in hardware might
not have Windows drivers that allow it, or might not have drivers that
allow it without, for example, running a configuration program to enable
it, or tweaking some registry entry to allow it, presumably as a
security measure to make it possible to configure machines not to allow
sniffing by default.

I don't know which cards support promiscuous mode, or, of those cards,
which ones have Windows drivers that don't, by default, allow
promiscuous mode to be turned on, or that don't allow it to be turned on
at all.  For those that don't allow it by default, I don't know how to
configure them to allow it.  You'd have to ask the vendors of your cards
about that.

It might be that they *ignore* attempts to put the NIC into promiscuous
mode, rather than returning an error, so that even if you turn on the
"use promiscuous mode" option in a sniffer program (or don't turn that
option off), the capture won't be done in promiscuous mode.

I don't know whether Token Ring adapters see packets that they
themselves transmit, but few, if any, Ethernet adapters do so. 
Therefore, in order to capture outgoing packets, they need to treat
outgoing packets like incoming packets, at least when capturing packets,
and process them as input packets.

It may be that the driver takes promiscuous mode literally, i.e. they
don't process outgoing packets as input packets unless

	1) they're broadcast or multicast packets

or

	2) they're being transmitted *to* the NIC's address

or

	3) the card is in promiscuous mode

because, if the card isn't in promiscuous mode, it'll see only broadcast
or multicast packets, or packets sent to it.  (That's the way at least
some drivers on Solaris appear to behave - you don't see outgoing
packets unless you're in promiscuous mode - and perhaps Windows driver
writers did the same in their drivers.)

If that is the case, and if the driver doesn't allow the NIC to be put
into promiscuous mode, it may be impossible to see outgoing traffic.

> and Cisco Aironet 350.

I know of no offical way, on Windows, to put an 802.11 NIC into "monitor
mode" through NDIS interfaces, so WinPcap can't do that.

I don't know how 802.11 NICs do promiscuous mode if they're not in
monitor mode.

I also don't know whether any 802.11 NIC drivers behave the way that
Token Ring drivers might work, i.e. not allowing promiscuous mode, so
that might be the problem.

> Any thoughts or ideas?

Use Linux or BSD. :-)  (Their drivers do a better job of letting you do
promiscuous sniffing, and they also are more willing to process outgoing
packets as input packets when doing packet captures.)