On Sun, Mar 14, 2004 at 08:15:06PM -0500, Keun Lee wrote:
> I see that it captures transmitted packets (as well as the
> received packets). I don't understand how the transmitted packets
> are captured on full duplex ethernet ports.
If promiscuous mode is off, WinPcap requests that the network interface
supply packets received on that interface *and* packets sent on that
interface; if it's on, it requests promiscuous mode, which might, or
might not, supply packets sent on that interface - Ethernet drivers tend
to supply packets sent on the interface, while many 802.11 drivers
don't, for some reason.
As such, the transmitted packets aren't "captured" in the sense of being
received by the machine sending them - instead, they're "wrapped around"
as input to WinPcap.
WinPcap does this because that's the way most if not all of the packet
capture mechanisms used by libpcap on UNIX systems work, and because it
allows you to capture traffic to and from a machine on that machine
itself rather than requiring you to use a third machine to capture that
traffic. (Sometimes a network analyzer is used as a passive tap,
capturing traffic on a network without participating in the network; the
network interface would, for LANs, typically be run in promiscuous mode.
However, sometimes it's used to track down a problem on the machine on
which it's running, or a problem with a machine with which the machine
on which it's running is communicating, in which case it's *not* just a
passive tap and *does* want to see traffic sent by the machine. In
still other cases, it might be an *active* promiscuous tap.)