Wireshark-dev: Re: [Wireshark-dev] Wireshark and NetMon (was Re: Frame comments in Microsoft Ne

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 4 Mar 2012 11:40:47 -0800
On Mar 3, 2012, at 10:56 PM, Krishnamurthy Mayya wrote:

> And ya, the final question i did not make it very clear. Hardware dependencies in the sense that kind of device drivers ar network adapetrs (NICs) a sustem has. I done really know whether the packet capturing softwares have anything to do with these hardware modules. So, wanted to understand.

Well, a driver is a software module, not a hardware module, but:

	with the NDIS 5-based WinPcap, the driver for a Wi-Fi adapter will govern what happens in promiscuous mode - will it be able to go into promiscuous mode, and will it capture any traffic if it does (I'm not sure whether any drivers support it);

	with the NDIS 6-based mechanism NetMon uses on Windows Vista and later, the driver for a Wi-Fi adapter will govern whether monitor mode is supported - if the driver is an NDIS 6 driver that supports Native Wi-Fi *including* monitor mode, you will be able to capture in monitor mode with NetMon, otherwise not.

If monitor or promiscuous mode doesn't work, you will probably be able to capture, on a Wi-Fi adapter with promiscuous mode turned off, traffic sent by and received by the machine running {WinDump, Wireshark} or NetMon, but that's it.

As for non-Wi-Fi network adapters:

	most if not all Ethernet drivers should support promiscuous mode (but that would also require a network tap or "port mirroring" or something such as that on a switched network);

	if you're on an Ethernet network with VLANs, the driver and adapter might have to be configured to show you VLAN tags if you want to capture traffic and see the VLAN tags (which would, I think, be the same with WinPcap and with NetMon).