Wireshark · Ethereal-users: Re: [Ethereal-users] Re: ethereal on Win XP

[Guy Harris <guy@xxxxxxxxxx>]

> Again: "windump" runs, "ethereal" does not.

"Runs" in the sense that "windump -D" reports the device, or "runs" in
the sense that you can do

	windump -i \Device\Packet_{58634D63-6C4F-4607-AEB3-A1BBB4EA120A}

and it captures packets?

> So here is the output of  "windump -D" (is there a program named 
> "winpcap" ?)
> 
>     C:\Temp\Giftschrank>windump.exe -D
>     1.\Device\Packet_{58634D63-6C4F-4607-AEB3-A1BBB4EA120A} (Intel
>     8255x-based Integrated Fast Ethernet (Microsoft's Packet Scheduler) )
>     2.\Device\Packet_NdisWanIp (NdisWan Adapter (Microsoft's Packet 
> Scheduler) )
> 
> If I insert the 1st device into the Ethereal dropdown as suggested by 
> Thomas,
> I just get the above mentioned message.
> 
> With that finding the winpcap people already sent me to 
> "ethereal-users", and now I'm
> getting bounced back.
> 
> Astonishing is, that windump offers two interfaces, but ethereal just 
> presents an empty list.

Not astonishing in the least if you know the way that WinDump and
Ethereal generate their lists.

WinDump just dumps the list of devices that WinPcap gives it.

Ethereal, however, actually tries to open the device, as the fact that a
device is reported to exist by some mechanism doesn't mean you can
actually open it with libpcap/WinPcap.  (For example, the loopback
device shows up in the list you get from Solaris, but you can't capture
on it.)

What happens if you run

	windump -i \Device\Packet_{58634D63-6C4F-4607-AEB3-A1BBB4EA120A}