[Guy Harris <gharris@xxxxxxxxx>]

Franco Martini wrote:
> Is there any version of ethereal able to capture on the interface device 
> "any" (to capture on two different interfaces at the same time) in promiscuous 
> mode (to capture all the messages, not only the messages directed to 
> the addresses of the devices) ?

Ethereal just calls "pcap_open_live()" - which is part of 
libpcap/WinPcap, not Ethereal - to capture on an interface, so it's not 
a question of the version of Ethereal, it's a question of the version of 
libpcap.

On Linux, the "any" pseudo-interface is implemented by not binding the 
PF_PACKET socket to a particular device, so packets from all interfaces 
are sent to the device, and promiscuous mode is implemented by doing a 
SOL_PACKET/PACKET_ADD_MEMBERSHIP setsockopt() call, with an type 
argument of PACKET_MR_PROMISC and with an interface index argument 
giving the index of the device, on the PF_PACKET socket.

The requirement for the interface index argument means that the call 
doesn't put all devices into promiscuous mode, it just puts a particular 
device into promiscuous mode.  Nobody's written and contributed to the 
libpcap developers any code to make it iterate over all the devices if 
promiscuous mode is requested on the "any" device; that'd be the only 
way to support promiscuous mode on the "any" device.  (That would, of 
course, not help if, for example, you plugged a PCMCIA adapter into the 
machine while the capture was running, as that device wouldn't exist at 
the time the capture was started.)