shai.zrihen@xxxxxxxxxxx wrote:
I'm using ethereal 10.9 winpcap 3.0 win 2000.
I can't see packet that are getting out from the machine that run the
ethereal (no VPN or wifi are running).
I assume from your later comment that you're trying to capture in
promiscuous mode.
If so, perhaps the driver for that particular network adapter implements
NDIS_PACKET_TYPE_PROMISCUOUS as "don't wrap local packets around and
supply them as input to that NDIS connection"; as I remember, the NDIS
specification is a bit ambiguous as to whether, in
NDIS_PACKET_TYPE_PROMISCUOUS mode, packets sent by the machine should be
supplied as input or not - a number of 802.11 adapters seem to work that
way, but there might be some Ethernet drivers that do so as well.
Try capturing in non-promiscuous mode. If you still don't see the
packet sent by the machine running Ethereal, the driver also doesn't
implement NDIS_PACKET_TYPE_ALL_LOCAL correctly - as I remember, the NDIS
specification isn't ambiguous about whether packets sent by the machine
should be supplied as input in NDIS_PACKET_TYPE_ALL_LOCAL mode, it
definitely says they should be. If you do see those packets, the
problem is probably that NDIS_PACKET_TYPE_PROMISCUOUS is implemented the
way described above.
Try
You might want to try it with WinDump and, if the same problem occurs,
report it to the WinPcap developers:
http://winpcap.polito.it/contact.htm
You might want to follow the steps there and then try with the WinPcap
3.1 beta release as well, although, if it's a driver problem, there's
nothing, as far as I know, that WinPcap can do about it, so 3.1 beta
probably won't help.
I also can't see packet that are sent to the ethernet port but are not
address directly to the machine the run the ethereal.
If you're capturing in promiscuous mode on a switched network, or on a
dual-speed hub, see
http://www.ethereal.com/faq#q5.1