Wireshark · Ethereal-dev: Re: [Ethereal-dev] Problems capturing on networks other of my own?

[Guy Harris <guy@xxxxxxxxxx>]

CCing "winpcap@xxxxxxxxxxxxxxxxxxxxxxx", to make sure the WinPcap
developers, who are the people most likely to have a clue what's
happening here, see it.

> Win32/0.8.1.6/WinPcap2.1/Win2KSP1:
> I have a laptop on subnet 10.10.X/24, I took it to subnet 10.10.Y/24,
> withouth changing its IP I tried to snoop on connections with 'host
> 10.10.Y.2 or 10.10.Y.3' - In TCP, all I got were connections that originated
> or destined to one of those hosts, but that their peer was on 10.10.X/24.
> Couldn't get even a single TCP packet between them, though connections were
> flying between the two. Seemed like Ethereal/WinPcap had to have one of the
> IPs in TCP on its subnet (which was not valid at the moment the capture took
> place).
> Any ideas?
> With MS Network Monitor (on another laptop) it worked fine.
> I was using a hub of course, no VLANs.

The WinPcap FAQ says:

	Q-11: Why WinPcap does not work on interfaces that do not have
	TCP/IP bound on them?

	A: From version 2.1, WinPcap requires the TCP/IP to be installed
	on the interface on which capture is launched.  This is a
	requirement of the new dynamic installation process, that
	'copies' the bindings of the TCP protocol driver in order to
	detect the network adapters.

This doesn't necessarily have anything to do with the problem you're
seeing, as your machine presumably does have TCP/IP installed on the
interface, and as I suspect that's what matters, not the IP address;
however, there may be some other way in which WinPcap depends on the IP
address (rather than the netmask) of the interface on which you're
capturing.