Wireshark-users: Re: [Wireshark-users] capture not seeing packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 5 Jan 2019 16:48:16 -0800
On Jan 5, 2019, at 4:09 PM, Alan Partis <alpartis@xxxxxxxxxxxxxx> wrote:

> What drives the lights?  I don't have that degree of detail handy, but I
> guess the question I'd have to ask is this: is there a way to get
> Wireshark to _see_ runts or packets with invalid CRC, or other errors?
> I recognize that you're asking if there's a way to get the ethernet
> adapter to supply this info, so I'm going to assume that either way, it's
> not a function of Wireshark.

It's not, except to the extent that some hardware *might* have a "supply bad packets to the host" option and some drivers *might* enable that option if you ask them to put the device into promiscuous mode; if those are the case, all Wireshark could do would be to capture in promiscuous mode.

You'd have to determine what type of interface is on your laptop and whether the driver does that.  This would probably be easier for Linux or *BSD than for, say, Windows or macOS, as it's easier to figure this out for open-source drivers.

(In a better world, all OS kernel capture mechanisms - or mechanisms atop which capture mechanisms can be built, such as NDIS on Windows - would offer, for wired shared-medium LAN adapters, both "promiscuous" mode, which provides all good packets seen by the adapter even if they're not directed to the host but discards bad packets and doesn't provide the CRC as part of the packet data, and "sniffer" mode, which provides all packets, good or bad, seen by the adapter, and provides the CRC as well as error flags such as runt, bad CRC, etc..  Sadly, we don't live in that world.

Of course, once you get to switched networks, you probably also have to configure a monitor port on which you do sniffing, and the switch would have to pass on bad packets to that port, or you'd have to use a tap.  But I digress....)