[Guy Harris <gharris@xxxxxxxxx>]

Dick Griest wrote:

> (1) Where you list the standard download Win32 distribution 
> http://www.ethereal.com/distribution/win32/ you could add WinPcap 3.1 
> Beta4 to the WinPcap 3.0 currently shown, with a note about PPP support 
> from FAQ http://winpcap.polito.it/misc/faq.htm#Q-4
>
>     */IMPORTANT UPDATE:/* we have added an experimental support for
>     capturing on PPP in WinPcap 3.1beta (the feature is available on
>     Windows 2000/XP/2003, it does NOT work on NT4). 

We could add that, but we should also note that it's a beta, and that 
you take a risk of some stuff that worked in WinPcap 3.0 *not* working 
in the 3.1 beta (and that if you discover something such as that, you 
should report it ASAP to the WinPcap developers, so that the final 
version of 3.1 doesn't have regressions from 3.0).

> (2) Delete all "List" posts http://www.ethereal.com/lists/ which state 
> that Ethereal (WinPcap) doesn't work with PPP as these posts confuse the 
> issue if you run into trouble capturing with a dial-up adapter.

That's supposed to be an archive of *all* mail to the lists, not a 
knowledge base; deleting old messages would be contrary to the purpose 
of the archive.  At most, we should put in a warning that old mails 
might not correctly answer current questions.

> (3)  At the top of each of the online help files which appear when you 
> click on the Life Preserver Icon in Ethereal, place instructions that 
> the help text should be copied to the Windows clipboard and pasted into 
> a file where it can searched electronically using "Ctrl F", instead of 
> having to read the entire contents to see if what you are looking for is 
> there.  For some reason when you have these files open in Ethereal and 
> press "Ctrl F", the normal Windows search feature has been disabled.

Be aware that Ethereal is *not* using the standard Windows GUI toolkit - 
it was originally developed as a UN*X application, and is still being 
actively developed as a UN*X application as well as a Windows 
application.  As such, in some cases the normal Windows features might 
not work.

I think for text widgets the normal GTK+ control-F search feature could 
be made to work; if so, the correct short-term fix would be to do that, 
not to put up instructions for a complicated process to work around that 
deficiency.

(In the longer term, we should probably use the native help viewer on 
various platforms, if available, and use an available Web browser 
otherwise, and perhaps fall back on the existing text display if there's 
no native help viewer and no configured Web browser.)

> (4) After completing step (3) I quickly located what the Help files had 
> to say about PPP.
>
>     3. WinPcap 3.0 doesn't support PPP WAN interfaces, and WinPcap 2.3
>     doesn't support PPP WAN interfaces on Windows NT/2000/XP/Server,
>     so Ethereal cannot capture packets on those devices with WinPcap
>     3.0, or with WInPcap 2.x when running on Windows
>     NT/2000/XP/Server. Regular dial-up lines, ISDN lines, and various
>     other lines such as T1/E1 lines are all PPP interfaces. This may
>     cause the interface not to show up on the list of interfaces in
>     the "Capture Options" dialog.
>
> There is no mention here of WinPcap 3.1 Beta.

That's from the FAQ; my plan is to remove a lot of those details from 
the FAQ and move them to a "CaptureSetup/PPP" page in the Ethereal Wiki, 
at which time I can put in a note about the beta, with a warning.  (I'm 
going to do similar things for other capture setup issues - that way, 
the FAQ doesn't have to change as often, and any user can update the 
capture setup information.)

> Also when it says Windows 
> NT/2000/XP/Server I assume it means the server versions of Windows 
> NT/2000/XP  but it could also be interpreted as Windows NT/2000 and the
> server version of Windows XP.

What it really means is "Windows NT", but, unfortunately, Microsoft 
decided to call Windows NT 5.0 "Windows 2000", Windows NT 5.1 "Windows 
XP", and Windows NT 5.2 "Windows Server 2003".  I.e., what it means is 
NT 4.0, W2K, WXP, and WServer 2K3.  I'll look at rephrasing that to make 
it clearer.

>     Q 5.6: I'm running Ethereal on Windows; why doesn't my serial
>        port/ADSL modem/ISDN modem/show up in the list of interfaces in the
>        "Interface:" field in the dialog box popped up by "Capture->Start"?
>      
>
>        A: All of those devices support Internet access using the
>        Point-to-Point (PPP) protocol; WinPcap 3.0 doesn't support PPP
>        interfaces, and WinPcap 2.x doesn't support PPP interfaces on Windows
>        NT/2000/XP/Server, so Ethereal cannot capture packets on those
>     devices
>        with WinPcap 3.0, or with WinPcap 2.x when running on Windows
>        NT/2000/XP/Server. This may cause the interface not to show up on the
>        list of interfaces in the "Capture Options" dialog.
>
> Again no mention of WinPcap 3.1 Beta.

Again, those should probably be moved to the Wiki, with a note about the 
beta added then.

> In the "FAQ" tab, the questions 
> appear first without the answers and later down below with the answers.  
> This works in hypertext but is somewhat confusing in the plain text of 
> the Help window.

That's something that using native help browsers, which I think are 
HTML-based on most modern desktop environments - HTML Help in later 
versions of Windows (and I think Microsoft might let you bundle the HTML 
Help viewer with applications to let it run on older versions of 
Windows), Help Viewer in OS X, and the KDE and GNOME help viewers - 
might alleviate.

>        Q 5.24: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
>        has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up
>     in the
>        "Interface" item in the "Capture Options" dialog box. Why can no
>        packets be sent on or received from that network while I'm trying to
>        capture traffic on that interface?
>      
>        A: WinPcap doesn't support PPP WAN interfaces on Windows
>        NT/2000/XP/Server; one symptom that may be seen is that attempts to
>        capture in promiscuous mode on the interface cause the interface
>     to be
>        incapable of sending or receiving packets. You can disable
>     promiscuous
>        mode using the -p command-line flag or the item in the "Capture
>        Preferences" dialog box, but this may mean that outgoing packets, or
>        incoming packets, won't be seen in the capture.
>
> Again no mention of WinPcap 3.1 Beta.

See previous note.

> Also the error message which pops up when you try to manually poke a 
> non-existant adapter name into the adapter selection window needs to be 
> modified as it currently reads "WinPcap 3.0 and later versions don't 
> support capturing on PPP/WAN interfaces at all." (see attached Ethereal 
> vs PPP Message confusing.gif)  Here again we have the confusing wording 
> of "doesn't support capturing on PPP/WAN interfaces in Windows 
> NT/2000/XP/2003 Server", which is different than that in the Help file.

I'll look at updating that message.

> (5)  Because Windows PPP support is new, there is nothing about it in 
> the Help portion of Ethereal (Live Preserver Icon) or in the online 
> hypertext Help or online PDF Help file.  I have attached some screen 
> captures which show that the PPP adapter doesn't show up as available 
> until the computer has established a dial-up connection with the 
> internet.

Interesting.

Note that many of the people who maintain the code and the FAQ either 
don't run Windows as their main OS or don't use PPP links and thus have 
only "second-party" familiarity with that part of WinPcap's behavior. 
Putting the discussion of PPP capture setup into the Wiki would allow 
people who *do* have direct experience update the information.

> At first all that showed up was "Generic NdisWan adapter: 
> \Device\NPF_GenericNdisWanAdapter".  However I was able to capture my 
> dial-up conversations with my internet ISP using this Generic Ndis Wan 
> adapter.  After I established the dial-up connection an additional 
> adapter showed up "WAN (PPP/SLIP) Interface: 
> \Device\NPF_{F37D0895-3FB0-4946-89D1-42FE988DBA90}".   I reloaded a 
> fresh image of Win 2K and verified that the key 
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F37D0895-3FB0-4946-89D1-42FE988DBA90} 
> was present prior to loading WinPcap and Ethereal.  It was.  This raises 
> the question of why WinPcap can't find it until going online and 
> establishing a dial-up conncection and what the differences are, if any, 
> between the two adapters.

You might want to ask the WinPcap developers about that.

> Including these screen captures in the online help with a statement 
> like, "If you can talk to the internet over a dial-up phone line, this 
> is what you should see after loading WinPcap and Ethereal." would be 
> helpful to people like me.  I would expect that other people might have 
> the experience I had where one downloads a commercial sniffer, tries it, 
> gets sticker shock, and then looks for a freeware version to download.

Note, of course, that one thing the money for a commercial network 
analyzer goes to is paying people to do stuff such as

	answering the phone on a support line;

	keeping documentation up to date;

	directly supporting various platforms and network types;

etc., so when you go with a volunteer-supported program such as 
Ethereal, you might pay less, but you also depend on people who don't 
work on Ethereal as a full-time job and who might also work at full-time 
jobs.

> In closing let me say that I appreciate your product, which as a member 
> of the general public, I am using to evaluate the effectiveness of my 
> firewall, and to get a handle on the spyware on my computer.  Let me say 
> that I was shocked.  Shocked!  It takes 15 IP sites just to download one 
> newspaper article from the Washington Post online.

The price of a dead-tree newspaper, as far as I know, doesn't cover the 
full cost of producing the paper, which is why, at least in the US, a 
term used for the part of the paper that has news articles is "the news 
hole" - it's a hole in the paper, between the advertisements, into which 
news is stuffed.  (I also think it's been said that the purpose of 
television programming is to keep the viewer from turning the set off so 
that they get to see the commercials.)

The price of an online newspaper is typically zero, so they need 
advertising revenue even more, hence the banner and pop-up ads.