Ethereal-users: [Ethereal-users] Re: Re: 802.1p packet marking / detection

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Chris T." <k0rnshell@xxxxxxxxxxx>
Date: Mon, 6 Dec 2004 05:39:37 -0600
How do i find this raw interface on Windows XP? I have been googling and I 
can't find anything. Has anyone done this before?


"Guy Harris" <gharris@xxxxxxxxx> wrote in message 
news:41B37B01.90002@xxxxxxxxx...
> Chris T. wrote:
>> I read the FAQ and I am not sure I completly understand what they are 
>> saying.
>
> What the FAQ is saying could be thought of as
>
> Ethereal doesn't directly control the network hardware on the machine on 
> which it's running.  It uses libpcap/WinPcap to do that, and 
> libpcap/WinPcap doesn't directly control it, either; it requests that 
> various pieces of networking code in the OS do so.
>
> The networking code in the OS, on machines connected to a VLAN, might 
> contain a networking "interface" that doesn't directly correspond to the 
> network adapter, and doesn't supply packets as received by the network 
> adapter; instead, it might supply packets that have the VLAN header 
> removed.
>
> It might also contain a networking interface that directly corresponds to 
> the network adapter, and supplies the raw packets as received by the 
> adapter; in order to see VLAN tags, and traffic for VLANs other than the 
> one to which the machine is connected, you'll have to capture on that 
> interface, rather than on the one that supplies packets with the VLAN 
> header removed.
>
> What the interfaces are called depends on your OS; I don't have a list of 
> what they're called on various OSes.
>
> A further problem is that I think some network adapter hardware can be 
> configured to be connected to a particular VLAN, in which case they'll 
> strip off VLAN tags, and discard packets not for that VLAN, before 
> supplying them to the host, in which case there might not *be* an 
> interface that can see the raw packets on the LAN.  In that case, you 
> might have to capture on a machine that's not connected to any VLAN - in 
> which case it might not be able to communicate on the LAN, in particular 
> to resolve network addresses to host names, so you might have to turn off 
> network name resolution to prevent Ethereal (or whatever capture program 
> you're using) from pausing for long periods of time trying to resolve 
> network addresses.