On Mon, Jun 17, 2002 at 09:00:04AM +0100, alf hardy wrote:
> On the Ethereal Web site, it states that due to binding problems in W2K,
> Ethereal will not work properly.
There is an item in the FAQ:
http://www.ethereal.com/faq.html#q4.11
that says that Ethereal can't capture on PPP devices on Windows NT (NT
4.0, NT 5.0 a/k/a Windows 2000, and NT 5.1 a/k/a Windows XP and Windows
.NET Server), but it doesn't say anything about bindings.
There are some mail messages that quote an item in the *WinPcap* FAQ:
http://winpcap.polito.it/misc/faq.htm
namely question 6:
Q-6: Can I use WinPcap on a PPP connection?
A: We have tested WinPcap on PPP connections under Windows 95,
Windows 98 and Windows ME. In Windows 95, due to a bug in NDIS,
WinPcap sometimes resets the PPP connection. In Windows 98/ME
this bug appears to be corrected, and WinPcap seems to receive
correctly, however it is not able to send packets. Under
Windows NT/2000/XP there are problems with the binding process,
that prevent a protocol driver from working properly on the WAN
adapter. The problem is caused by the PPP driver of WinNTx,
ndiswan, that doesn't provide a standard interface to capture.
Neither of those speak of a *generic* problem, just a problem with PPP
devices. (It certainly works properly capturing on Ethernet on my W2K
machine at work, for example.)
> I am experiencing the symptoms mentioned.
> It appears that the problem lies with the generic Microsoft code and not in
> the Ethereal code itself according to the ethereal documentation.
It's *definitely* not in the Ethereal code, because Ethereal doesn't
include any code to talk to NDIS drivers, it only includes code to call
libpcap/WinPcap to talk to whatever OS facility - or add-on facility, in
the case of WinPcap - allows packet capature.
I.e., this is not an issue with which Ethereal itself is at all
involved, it's a WinPcap issue that affects any application that uses
WinPcap.
> Does anyone know of a fix to this problem?
A claim has been made by an Ethereal user:
http://www.mail-archive.com/winpcap-users@xxxxxxxxxxxxxxxxx/msg00127.html
that an application using WinPcap (WinDump, Analyzer, Ethereal, etc.)
can capture on a PPP device on at least some versions of NT (the user
making the claim tried it on NT 5.0, i.e. W2K) *if* you have the Network
Monitor driver installed and you capture on \Device\Packet_NdisWanBh
rather than on \Device\Packet_NdisWanIp or some other Packet_NdisWan
device.
As Loris Degioanni notes in that message:
I don't make this page public yet because I don't know if the
procedure works on other machines/OSes (NT4, XP...) and, if it
works, I don't know to enable it on different OSes. Therefore,
I will be happy to receive feedback from the users that try it.
so there is no guarantee that it'll work on all versions of NT, but it
did seem to work for at least one W2K user.
