Wireshark-users: Re: [Wireshark-users] capturing packets in "stealth" mode on Windows
From: "Small, James" <[email protected]>
Date: Sat, 3 Feb 2007 15:27:12 -0500
Dave,

Under the Network Adapter Properties, under the General Tab, you should
see a list of clients/protocols/etc. that "use" the particular network
adapter.  For example:
Client for Microsoft Networks
VMware Bridge Protocol
Deterministic Network Enhancer
File and Printer Sharing for Microsoft Networks
Network Monitor Driver
Internet Protocol (TCP/IP)

You want to uncheck everything except the Network Monitor Driver - I
believe this is what WinPcap is using to monitor the network adapter.

You should then be able to "silently" monitor the network that this
particular network adapter is hooked up to.  I have tried this and it
works for me.

That said, if you want a perfect solution, you would have to have to get
a switch that can mirror/SPAN ports, or get a network tap, or cut the
transmit wires on the patch cord.

--Jim

> -----Original Message-----
> From: [email protected] [mailto:wireshark-users-
> [email protected]] On Behalf Of David Durgee
> Sent: Saturday, February 03, 2007 9:26 AM
> To: [email protected]
> Subject: [Wireshark-users] capturing packets in "stealth" mode on
Windows
> 
> I need to capture packets between a cable modem and a
> router for diagnostic purposes.  I have inserted a hub
> between them, so I can attach the Win2K system to it,
> but I need to avoid having the capturing system
> inserting packets of its own as it might either mask
> the problem I am trying to diagnose or create new
> problems.
> 
> I have downloaded and installed Wireshark 0.99.4 on a
> Windows 2000 system.  I am able to capture packets on
> my ethernet interface with the interface enabled and
> in full operation, but if I disable the interface as I
> expect I will need to in order to operate "stealthy"
> the interface is not available to select for capture
> in Wireshark.
> 
> How do I need to configure things to be able to do
> what I need?  Can I define another ethernet interface
> using the same NIC that has no protocols enabled on it
> and then swap which one is enabled?  Do I need to
> disable all protocols on the existing interface for
> the capture and then manually re-enable them when I
> want to reconnect to the network?
> 
> Any help appreciated.
> 
> Dave
> 
> 
> 
> 
> 
>
________________________________________________________________________
__
> __________
> Cheap talk?
> Check out Yahoo! Messenger's low PC-to-Phone call rates.
> http://voice.yahoo.com
> _______________________________________________
> Wireshark-users mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-users