Wireshark · Wireshark-users: Re: [Wireshark-users] Newbie question about capture point

[Randy.Grein@xxxxxxxxxxxxxx]

I haven't kept up on all aspects of current cards, but this was not the 
case historically - with the exception of 3Com, who has been blocking 
datalink errors for years.I haven't kept current with the last generation 
or so, about when gigabit became common. When I looked into TOE cards a 
few years ago the TOE feature could be disabled (one issue was ENABLING it 
for some OSes!); IIRC the checksum offloading could be disabled as well. 
Still, getting to fully promiscuous capture isn't easy - support is 
required right up the line. If you really need to see all datalink errors 
these days a hardware analyzer is probably best.
Randy Grein
Network Engineer



"Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx> 
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx
06/29/2007 08:51 AM
Please respond to
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>


To
"Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
cc

Subject
Re: [Wireshark-users] Newbie question about capture point






I might be wrong, but I don't think many OSes and network cards do provide 

corrupted packets (wrong FCS or link layer errors) even when put into 
promiscuous mode. This is because usually the MAC chip on the cards 
discards 
them without even moving them to host memory (for performance reasons). 
Also, consider that one of the issues is that newer network cards perform 
a 
lot of processing (TCP offloading, or checksum computation, just to name 
two 
of them) directly in hardware. Capturing the packets that actually get 
transmitted on the network is much harder in this case, as the OS (hence 
WinPcap) sees the packets that are sent from host to the network card, not 

the packets that actually get transmitted.

Hope it helps
GV


----- Original Message ----- 
From: <Randy.Grein@xxxxxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, June 29, 2007 8:03 AM
Subject: Re: [Wireshark-users] Newbie question about capture point


> Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the
> Windows protocol analyzer problems. NDIS never did fully specify a
> promiscuous mode, so it's left up to the vendor who writes the driver.
> Card vendors supply some promiscuous functionality, but AFAIK none pass 
on
> all error packets. So you may see packets destined for other hosts,
> broadcasts, etc. but you may not see runts or giants. You may not see
> framing errors. Some, like the older 3Com (I'm not sure if they still 
do)
> filter all errors in hardware, so you won't even see ethernet collisions
> in a hub environment - but in that case it doesn't matter what the 
drivers
> do, and you're stuck in any OS. Some commercial protocol analyzer 
vendors
> supply a custom driver for a few cards, or even a custom card and driver
> that will capture all error packets.
>
>
> Randy Grein
> Network Engineer
>
>
>
> "Gajan Nadarajan" <gajannada@xxxxxxxxx>
> Sent by: wireshark-users-bounces@xxxxxxxxxxxxx
> 06/28/2007 11:25 AM
> Please respond to
> Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>
>
> To
> wireshark-users@xxxxxxxxxxxxx
> cc
>
> Subject
> [Wireshark-users] Newbie question about capture point
>
>
>
>
>
>
> Hello,
>
> I am new to wireshark and was wonder where exactly does wireshark 
capture
> eth packets or frames on the windows stack( or somwhere on NDIS)?
>
> Would it be before it reaches the driver?
>
> Thank you._______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> - -------------------------
>
> CONFIDENTIALITY NOTICE: The information in this message may be 
proprietary 
> and/or confidential, and is intended only for the use of the 
individual(s) 
> to whom this email is addressed.  If you are not the intended recipient, 

> you are hereby notified that any use, dissemination, distribution or 
> copying of this communication is strictly prohibited. If you have 
received 
> this communication in error, please notify us immediately by replying to 

> this email and deleting this email from your computer.  Nothing 
contained 
> in this email or any attachment shall satisfy the requirements for 
> contract formation or constitute an electronic signature.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users 

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



- -------------------------

CONFIDENTIALITY NOTICE: The information in this message may be proprietary and/or confidential, and is intended only for the use of the individual(s) to whom this email is addressed.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this email and deleting this email from your computer.  Nothing contained in this email or any attachment shall satisfy the requirements for contract formation or constitute an electronic signature.