andy.quick@xxxxxxxxxx said:
> I am using Ethereal 0.10.4 and WinPcap 2.3 on a laptop with Win2k and a
> Sierra Wireless AirCard 750 to analyze network traffic on a GPRS network.
> I wrote a small program to send 1 UDP datagram to an IP address. After
> stopping the capture, I see 2 identical UDP packets with the IP address as
> destination in the list of packets captured. When I run the same program,
> while capturing over an ethernet adapter, I see just 1 UDP packet in the
> capture. This also happens with WinPcap 3.0. Can anyone tell me what is
> going on here?
You're probably capturing with a device whose driver is being obnoxious
and somehow causing two packets to be seen by WinPcap.
I am very sorely tempted to put, in large red letters on the Ethereal home
page, "DO NOT USE ETHEREAL, OR ANY OTHER WINPCAP-BASED APPLICATION SUCH AS
WINDUMP OR ANALYZER, TO TRY TO CAPTURE TRAFFIC ON 802.11 NETWORKS ON
WINDOWS. MOST IF NOT ALL OF THE DRIVERS VENDORS SUPPLY FOR WINDOWS FOR
THEIR 802.11 CARDS SEEM TO SUCK IN VARIOUS ANNOYING WAYS THAT MAKE LIFE
MISERABLE FOR PEOPLE CAPTURING TRAFFIC, EVEN THOUGH MOST ETHERNET DRIVERS
FOR WINDOWS SOMEHOW SEEM TO AVOID THOSE FORMS OF SUCKAGE. TRY USING
LINUX, FREEBSD, OR NETBSD 2.0-BETA OR LATER IF YOU WANT TO CAPTURE WITH
FREE SOFTWARE, OR TRY USING SNIFFER WIRELESS OR AIROPEEK IF YOU WANT TO
CAPTURE ON WINDOWS (AS THEY HAVE PEOPLE THEY PAY TO WRITE AND SUPPORT
THEIR OWN WIRELESS CARD DRIVERS)."
That suckage is *very* frustrating, and there's nothing Ethereal can do
about it - there's probably not even anything that WinPcap can do about
it. Perhaps someday Microsoft will provide enough support (e.g., OIDs for
802.11 NDIS drivers to support, and a clearer statement on what the
various NDIS filtering modes do, and will also not give Windows HCL
certification for drivers that make life difficult for network analyzing
software, to get the problem fixed. I'm not holding my breath, however.
