<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p
        {mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:Arial;
        color:windowtext;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Yeah, the syntax makes all the difference,
here is the new output:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>D:\Program
Files\windump-3.8.3beta-win32-ipv6>WinDump -D<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>1.\Device\NPF_GenericDialupAdapter
(Generic dialup adapter)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>2.\Device\NPF_{6B4FA49D-0DE0-46A6-A27C-91DEE96304E3}
(Intel(R) PRO/1000 MT <st1:place w:st="on">Mobile</st1:place> Connection
(Microsoft's Packet Scheduler) )<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>3.\Device\NPF_{62C879A1-1F45-4E60-A4AD-4F7B0306E2D5}
(Cisco Systems VPN Adapter (Microsoft's Packet Scheduler) )<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>4.\Device\NPF_{350C0BBB-5D73-4A02-8113-CDFE92B16D28}
(Intel(R) PRO/Wireless 2200BG Network Connection (Microsoft's Packet Scheduler)
)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Here are the drivers I have running on the
Ethernet1000 and wireless cards:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Intel(R) PRO/1000 MT <st1:place w:st="on"><st1:City
w:st="on">Mobile</st1:City></st1:place> (NDIS 5.1), Version: 7.2.17.101<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Intel(R) PRO/Wireless 2200BG Network, Version:
9001-21 Driver<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>About SPANing in Cisco routers, you can sniff
as much as 66 ports or sets of ports or VLANs, depending on the model you are
working with, of course every time you SPAN an item, you are duplicating this
traffic within the box, so the more monitoring sessions you add, the more risk is
generated for the box. I have seen as much as 4 sessions running parallel in a
small switch with heavy traffic and the switch is able to keep on working without
any problem.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>And yes, we were testing the same port.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Gianluca Varenni<br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, September 23, 2005
2:34 AM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">winpcap-users@winpcap.org</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Winpcap-users]
Problems with promiscuous mode</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>Hi Victor.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>The right syntax to list the adapters with Windump is "windump
-D" (D capital letter).</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>Moreover, there is no way to see if the adapter is actually in
promiscuous mode or not. More precisely, WinPcap forwards the request to the underlying
miniport driver of the network card (and reports the error code given by the
underlying driver). So if the call fails, the network card driver
should return an error (and therefore WinPcap). I know that there are some
tools (based on winpcap) that are able to detect in another host has a network
card in promiscuous mode, you can maybe try one of them.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>One of them is promiscan, a free version is available here </span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'><a href="http://www.securityfriday.com/products/promiscan.html">http://www.securityfriday.com/products/promiscan.html</a></span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>Which network board are you using (brand, model)? </span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>A stupid question: you say that one of your peers is able to capture
all the SPANned traffic. Did you connect your machine on the same SPANned port
of the switch (if I remember well, you can only configure one port of the
switch as a SPAN port, correct me if I'm wrong).</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>Have a nice day</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Times New Roman"><span style='font-size:
10.0pt'>GV</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>----- Original Message ----- <o:p></o:p></span></font></p>
</div>
<blockquote style='border:none;border-left:solid black 1.5pt;padding:0in 0in 0in 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<div style='font-color:black'>
<p class=MsoNormal style='background:#E4E4E4'><b><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial;font-weight:bold'>From:</span></font></b><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <a
href="mailto:victor.buendia@berbee.com" title="victor.buendia@berbee.com">Buendia,
Victor</a> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><b><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-weight:bold'>To:</span></font></b><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> <a
href="mailto:winpcap-users@winpcap.org" title="winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>
<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><b><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-weight:bold'>Sent:</span></font></b><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> Thursday,
September 22, 2005 6:23 PM<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><b><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-weight:bold'>Subject:</span></font></b><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> [Winpcap-users]
Problems with promiscuous mode<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am using Ethereal and is not working properly. I am only
seeing my own traffic.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am trying to sniff a Cisco Switch port and I’m
SPANing the destination port properly.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I have tested the SPAN switch configuration with one of my
peers and he can see the traffic with Ethereal just fine (he has the same
hardware I do).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I tried different versions of Ethereal and WinPcap but the
problem still persists.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I wonder if there's any way to see if WinPcap is ordering my
Ethernet port to be on a promiscuous mode properly.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Based on the FAQ page, I have obtained the following
information:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>***Is NFP running?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>When running msinfo32, I see that NPF has been started and
the state is running.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>***What adapters is windump seeing?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>When running windump –d, I don’t see my Ethernet
nor my wireless drives, I only see something that looks like a Dial Up adapter,
here is the command’s output:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>D:\Program Files\windump-3.8.3beta-win32-ipv6>windump -d<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>windump: listening on \Device\NPF_GenericDialupAdapter<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(000) ret #96<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>D:\Program Files\windump-3.8.3beta-win32-ipv6><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I don’t know what else to check, I was thinking about
looking at the PGPnet state, I would hope this is running but how should I
check it?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any help will be very much appreciated.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>-Victor.<o:p></o:p></span></font></p>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>_______________________________________________<br>
Winpcap-users mailing list<br>
Winpcap-users@winpcap.org<br>
https://www.winpcap.org/mailman/listinfo/winpcap-users<o:p></o:p></span></font></p>
</blockquote>
</div>
</body>
</html>