Wireshark · Ethereal-users: AW: [Ethereal-users] Adapter Problem in promiscuous mode

Ethereal-users: AW: [Ethereal-users] Adapter Problem in promiscuous mode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Berthold Seidel" <BertholdSeidel@xxxxxxxxxxxxxx>

Date: Mon, 1 May 2006 20:40:41 +0200

Hi Guy,

thank you for your detailed answer. It looks like I'll have to set up Linux
on my machine to get this running. (I've no experience with Linux yet.) I've
another adapter, a Netgear WG511T PCMCIA-card. Do you think that will work
better?

Berthold

-----Ursprüngliche Nachricht-----
Von: Guy Harris [mailto:gharris@xxxxxxxxx] 
Gesendet: Sonntag, 30. April 2006 21:12
An: Ethereal user support
Betreff: Re: [Ethereal-users] Adapter Problem in promiscuous mode

Berthold Seidel wrote:

> Is there a problem with the command that should be issued by Ethereal 
> to
> the adapter or is something else wrong?

Yes, something else is wrong.

What's wrong is, apparently, Intel's claim on that page that "All Intel 
PRO adapters and their software drivers support promiscuous mode."  That 
claim might have been true at the time they wrote that page - which was, 
I suspect, a time before they had an 802.11 adapter, because I suspect 
it was a time before 802.11 adapters existed, as it was probably a time 
before *802.11* existed.  The "10/100" suggests the epoch of that page....

Ethereal doesn't issue a command to the adapter, it just passes 1 as the 
"promisc" argument to pcap_open_live().

On Windows, WinPcap, if it gets that argument, uses a particular NDIS 
"filter" (NDIS_PACKET_TYPE_PROMISCUOUS) when setting up to capture from 
the device; that "filter" requests promiscuous mode.  For some unknown 
reason, wireless card drivers on Windows do a *REALLY BAD* job of 
handling requests to enter promiscuous mode - they either refuse, for 
some mysterious reason, to supply any packets on the NDIS attachment 
with promiscuous mode enabled, or supply only packets received by the 
machine, not packets sent by the machine, perhaps because only the 
description of NDIS_PACKET_TYPE_ALL_LOCAL (the "filter" used in 
non-promiscuous mode) *explicitly* says "All packets sent by installed 
protocols" (i.e., they assume that's the only mode that should supply 
packets sent by the machine).

This is noted in the Ethereal FAQ:

	http://www.ethereal.com/faq#q8.9

	http://www.ethereal.com/faq#q8.10

As for the Zonealarm problem, for some reason, some networking kernel 
code doesn't work well with WinPcap; the WinPcap developers might have a 
better understanding why this is.

> If theres no other solution: Can anybody recommend a PCMCI adapter
> (802.11b/g) that works reliably in promiscuous mode under XP?

Unfortunately, I can't (my main machine is a PowerBook, and OS X is a 
UN*X, and handles promiscuous mode on its wireless adapter in a 
reasonable fashion).  I'm not sure *anybody's* discovered such an 
adapter, although you might check the list of adapters mentioned in the 
first of the FAQs.

Follow-Ups:
- Re: [Ethereal-users] Adapter Problem in promiscuous mode
  - From: Joerg Mayer

Prev by Date: [Ethereal-users] Playing back Captures?
Next by Date: [Ethereal-users] (no subject)
Previous by thread: Re: [Ethereal-users] Playing back Captures?
Next by thread: Re: [Ethereal-users] Adapter Problem in promiscuous mode
Index(es):
- Date
- Thread