Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] Adapter Problem in promiscuous mode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 30 Apr 2006 12:11:58 -0700
Berthold Seidel wrote:
Is there a problem with the command that should be issued by Ethereal to the adapter or is something else wrong? 

Yes, something else is wrong.
What's wrong is, apparently, Intel's claim on that page that "All Intel PRO adapters and their software drivers support promiscuous mode." That claim might have been true at the time they wrote that page - which was, I suspect, a time before they had an 802.11 adapter, because I suspect it was a time before 802.11 adapters existed, as it was probably a time before *802.11* existed. The "10/100" suggests the epoch of that page....
Ethereal doesn't issue a command to the adapter, it just passes 1 as the "promisc" argument to pcap_open_live().
On Windows, WinPcap, if it gets that argument, uses a particular NDIS "filter" (NDIS_PACKET_TYPE_PROMISCUOUS) when setting up to capture from the device; that "filter" requests promiscuous mode. For some unknown reason, wireless card drivers on Windows do a *REALLY BAD* job of handling requests to enter promiscuous mode - they either refuse, for some mysterious reason, to supply any packets on the NDIS attachment with promiscuous mode enabled, or supply only packets received by the machine, not packets sent by the machine, perhaps because only the description of NDIS_PACKET_TYPE_ALL_LOCAL (the "filter" used in non-promiscuous mode) *explicitly* says "All packets sent by installed protocols" (i.e., they assume that's the only mode that should supply packets sent by the machine). 

This is noted in the Ethereal FAQ:

	http://www.ethereal.com/faq#q8.9

	http://www.ethereal.com/faq#q8.10
As for the Zonealarm problem, for some reason, some networking kernel code doesn't work well with WinPcap; the WinPcap developers might have a better understanding why this is.
If there�s no other solution: Can anybody recommend a PCMCI adapter (802.11b/g) that works reliably in promiscuous mode under XP?
Unfortunately, I can't (my main machine is a PowerBook, and OS X is a UN*X, and handles promiscuous mode on its wireless adapter in a reasonable fashion). I'm not sure *anybody's* discovered such an adapter, although you might check the list of adapters mentioned in the first of the FAQs.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube