Join us 4-8 November in Vienna for SharkFest'24 EUROPE, the official Wireshark Developer and User Conference
Wireshark logo

Ethereal-users: RE: [Ethereal-users] Capturing Packets with IBM Thinkpad

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: <mike.thackray@xxxxxxxxx>
Date: Thu, 27 Feb 2003 10:08:46 -0000
Thanks for the reply Guy.
I am running Win2k - someone has to ;-)

For testing purposes I am using a Linksys EFAH05W 10/100 Ethernet hub. To the best of my knowledge this device does not function as a switch (unless you know different). I have three machines connected to the hub (including the Thinkpad) all running at 100M. I conclude that my interface is not in promiscuous mode because I cannot see packets sent between the other two machines - I can only see packets sent to or from the Thinkpad and broadcasts.

I have searched the Windows control panel and command prompt help but cannot find anything that will tell me whether the interface is in promiscuous mode or not.

If I can't get this to work, my next idea is to try a different Ethernet adapter that I *know* can be put in promiscuous mode - can anyone recommend one?

Best regards, Mike

-----Original Message-----
From: ext Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Wednesday, February 26, 2003 10:47 PM
To: Thackray Mike (NET/Huntingdon)
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Capturing Packets with IBM Thinkpad


On Wed, Feb 26, 2003 at 10:01:58AM -0000, mike.thackray@xxxxxxxxx wrote:
> Hi, I am running Ethereal on an IBM Thinkpad T22

What OS is the Thinkpad running?

> and I cannot seem to put the built-in Ethernet interface adapter into
> promiscuous mode, despite the option being set in Ethereal.

How are you determining that it's not in promiscuous mode?

Note that:

	1) just because the interface is in promiscuous mode, that
	   doesn't mean it'll capture all packets on the network, if
	   it's a switched network or a network with a dual-speed hub:

		http://www.ethereal.com/faq.html#q5.1

	2) at least on Linux, the mechanism used by newer versions of
	   libpcap to put an interface into promiscuous mode does *NOT*
	   cause "ifconfig" to report that the interface is in
	   promiscuous mode (because it doesn't set the IFF_PROMISC flag
	   - instead, it makes a call that causes an internal
	   "promiscuous" flag to be set, and when the last socket on
	   which such a call was made is closed, the kernel turns off
	   promiscuous mode, at least if IFF_PROMISC hasn't been set).