Stefan A. wrote:
I'm new to Solaris but have been using ethereal for some years.
(1) on SuSe 8and on Windows?), there is an 'any' interface available, which
captures all packets on all interfaces.
Linux has it, Windows doesn't. The Linux networking stack lets you have
a PF_PACKET socket that's not bound to a network interface, and that
receives packets from all interfaces. WinPcap doesn't support that; it
might be that NDIS doesn't let you capture packets without connecting to
a particular interface.
On Solaris (eri and qfe) this interface seems to be not available.
DLPI, as used on various OSes including Solaris, doesn't support that
either, so there's no "any" device.
(2) I'm using a lot of subinterfaces on the box (qfe0:1 ... 18). What I've
expirienced in addition is, that I can not see packets sent from one
subinterface to an other (e.g. qfe0:2 > qfe0:6), which I have to use fpor
testing purposes.
Packets sent from a machine to itself are, as far as I know, on Solaris,
not supplied to DLPI, and are therefore uncapturable by libpcap.
(3) An other thing: If I'm using the promiscous mode on the Interface, I can
not see any packets leaving th box over a subinterface. The answers are
captured fine. (e.g. I see the RADIUS Access Accept and two Accounting ACKs
for a single RADIUS Session).
So those are packets being sent to another machine, rather than being
sent from the machine to itself?