Wireshark-users: Re: [Wireshark-users] Wireshark-users] Nvidia MCP onboard wired 10/100/1000 NIC
From: Steve Gladden <steve@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jan 2012 23:34:26 -0500
I'm still trying to figure out why cannot capture in promiscuous mode on the stated Realtek WIRED NICS built on motherboards.
I've still been unable to find a definitive list on what non wired Ethernet hardware does not do promiscuous mode with winpcap/wireshark.
Any ideas?
These are quite common and I still would like to know with some kind of reference to something why they are not working in wireshark.



Dave, I've of course already done this as had been mentioned in my post.
The point of my posting to the list is this is the first time I've ever come across a WIRED Ethernet Interface type that I could not capture on in promiscuous mode.
It's got me incredibly curious as to if it's a chip or driver issue and if it's by design or was it turned off somewhere where it may be re-enabled.
This is common with wireless devices but NOT wired Ethernet adaptors.

I'm looking for more information or pointers as to why this does not work with the particular onboard Realtek device mentioned as well as a list of any other non wireless hardware that does not work and why.
You mention that some NICS don't work.. aside from most wireless 802.11x devices can you point me toward or suggest a list of what WIRED devices do not work and why this might be?

I already know it doesn't work, and that I can use a different card, I'd also like to know why it doesn't work.



>Then install a NIC that is known to work in promiscuous mode.  Some NICs just don't.

Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk

That be the problem from my tests the device WILL NOT do promiscuous mode!

I'm very used to this behavior from wireless NICS but this has me scratching my head.
Is this feature disabled behavior built into the chipset or drivers?
And might you be able to point me in the direction of enabling the feature for these devices?
Of course checking the checkmark within wirehark has no affect nor does it generate an error.. It captures but only Broadcast packets and things addressed to the card itself.  (same as if it's not checked) Moving over to a PCIe or PCI Installed Intel or Broadcom card works fine as expected on this same setup.
The NVIdia NIC is working normally and has excellent performance aside from my not being able to get ti to capture in promiscuous mode.

Nic in question is:
RealtekRTL8211CL tied into an NVIDIA GeForce 7025/nForce 630a motherboard chip.
Motherboard is a Gigabyte GA-m68MT-S2P (AMD socket AM3 CPU).

Running Win7 64bit very clean install and up to date.

Wireshark & WINPCAP  info:

Version 1.6.5 (SVN Rev 40429 from /trunk-1.6)

Compiled (64-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, without SMI, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with PortAudio V19-devel (built Jan
10 2012), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version, based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022

All run as administrator on a local administrator account.

Thoughts? Flames?  Did I miss something OBVIOUS in the documentation about Nvidia or Realtek chipsets & drivers?

I'm not finding it!  :)

Steve Gladden