We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] capturing packets in "stealth" mode on Windows

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sat, 03 Feb 2007 18:55:34 +0100
David Durgee wrote:
I have downloaded and installed Wireshark 0.99.4 on a
Windows 2000 system.  I am able to capture packets on
my ethernet interface with the interface enabled and
in full operation, but if I disable the interface as I
expect I will need to in order to operate "stealthy"
the interface is not available to select for capture
in Wireshark.
Obviously, if you disable an interface - it's disabled :-)
How do I need to configure things to be able to do
what I need?  Can I define another ethernet interface
using the same NIC that has no protocols enabled on it
and then swap which one is enabled?  Do I need to
disable all protocols on the existing interface for
the capture and then manually re-enable them when I
want to reconnect to the network?
Disabling the TCP/IP stack of that interface should be usually enough to keep the interface quiet - however, never tried it myself if it's really quiet then.

There are potentially a lot of services running on top of a network interface, some common today are:

- TCP/IP (switch this off - this will prevent ARP, DNS, NBNS, ... to get on the network)
- VPN (switch this off)
- services to capture network traffic (should send no packets)
- personal firewall software (should send no packets)

Hope this helps,

Regards, ULFL