Ethereal-users: Re: [Ethereal-users] Windows 2000 and promiscuous mode
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 2 Oct 2001 12:23:30 -0700 (PDT)
> I'd like to be able to enable promiscuous mode on the Windows 2000 > version of Etherreal. > > I have all the approrpiate boxes checked, but I still only see traffic > to and from my local machine. http://www.ethereal.com/faq.html#q3.6 "Q 3.6: I can't see any TCP packets other than packets to and from my machine, even though another sniffer on the network sees those packets. A: This might be because the network interface on which you're capturing doesn't support "promiscuous" mode, or because your OS can't put the interface into promiscuous mode. Normally, network interfaces supply to the host only: packets sent to one of that host's link-layer addresses; broadcast packets; multicast packets sent to a multicast address that the host has configured the interface to accept. Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see. However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode. If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast and perhaps some multicast packets; TCP doesn't use broadcast or multicast, so you will only see your own TCP traffic, but UDP services may use broadcast or multicast so you'll see some UDP traffic - however, this is not a problem with TCP traffic, it's a problem with unicast traffic, as you also won't see all UDP traffic between other machines. This might also be because the interface on which you're capturing is plugged into a switch; on a switched network, unicast traffic between two ports will not necessarily appear on other ports. Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your sniffer into that single port to sniff all traffic." Is your machine plugged into a switch or switching hub? If so, is the port into which it's plugged set to "mirror" stuff sent to the other ports? (Some switches, I think, let you do this; you'd have to check the documentation for the switch to see how to do it.) If it's plugged into a switch, and the port into which it's plugged isn't set to mirror traffic, that could be the problem. If it's not plugged into a switch, or the port isn't set to mirror traffic, try running WinDump: http://netgroup-serv.polito.it/windump/ (which defaults to promiscuous mode). if that doesn't work either, it's probably a WinPcap problem or a driver problem, so you should send mail to winpcap@xxxxxxxxxxxxxxxxxxxxxxx > If not, I'll just run it from FreeBSD or Linux On the same machine? If you have gotten it to run in promiscuous mode on the same machine, when the machine is running FreeBSD or Linux, then it's almost certainly either a WinPcap or a driver problem.
- References:
- [Ethereal-users] Windows 2000 and promiscuous mode
- From: Gabe Green
- [Ethereal-users] Windows 2000 and promiscuous mode
- Prev by Date: [Ethereal-users] Memory Leak?
- Next by Date: Re: [Ethereal-users] Memory Leak?
- Previous by thread: [Ethereal-users] Windows 2000 and promiscuous mode
- Next by thread: [Ethereal-users] Memory Leak?
- Index(es):
- Get Wireshark
- Download
- Code of Conduct