Wireshark · Ethereal-users: Re: [Ethereal-users] listen on 'any'

Ethereal-users: Re: [Ethereal-users] listen on 'any'

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 10 May 2004 11:10:15 -0700

On Mon, May 10, 2004 at 05:29:31PM +0200, Philippe De Neve wrote:
> I start ethereal. If I try to listen on 'any' interface I only see the
> packets on eth2. I do not see the traffic on eth1 and eth0.
> But when I open a second ethereal and I start listening on e.g. eth1 the
> first ethereal also starts seeing traffic on this interface.

Is the second Ethereal running in promiscuous mode?

If so, is the traffic you're seeing from eth1 traffic to or from the
machine running Ethereal or broadcast or multicast traffic?

If not, this is probably because promiscuous mode isn't supported on the
"any" device (it's not a real device from the Linux kernel's standpoint
- libpcap captures on the "any" device by capturing on no *specific*
device, so that the kernel supplies packets from all devices, rather
than a specific device - to the socket, and I don't think you can
request promiscuous mode on an unbound PF_PACKET socket), so, with the
"any" device, you'll only see "third-party" traffic if promiscuous mode
is turned on for that interface by some other mechanism such as
capturing in promiscuous mode on that device.

References:
- [Ethereal-users] listen on 'any'
  - From: Philippe De Neve

Prev by Date: [Ethereal-users] Re: Ethereal-devUsing doxygen for generating developer documentation?
Next by Date: [Ethereal-users] Filters
Previous by thread: [Ethereal-users] listen on 'any'
Next by thread: [Ethereal-users] Re: Ethereal-devUsing doxygen for generating developer documentation?
Index(es):
- Date
- Thread