[Winpcap-users] REPOST: Winpcap and VMware - known problem - ??

Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) michael_feeny at ml.com
Tue Dec 20 15:50:31 GMT 2005 

Loris,


Thx for the response...

My configuration is:  
- WIN2K, running as a virtual machine on top of Vmware ESX 2.5.1 (host).
- The "real" NIC is A Broadcom NIC, set to 100 - Full duplex 
- Ethereal is running on the virtual machine (WIN2K), not the ESX host.

Question:
CAN I run Ethereal on the ESX host?  If so, how do I do this?  That
would eliminate the virtual NIC from the equation.

Thx much!
Michael

Michael Feeny

TDDS Application Integration Management

609-274-2761 (Office)

484-995-1745 (Mobile)

1-888-MERRIL0 (Page)

feenyman99 (AIM)

-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Loris Degioanni
Sent: Saturday, December 17, 2005 8:05 AM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] REPOST: Winpcap and VMware - known problem
- ??

Michael,
WinPcap interfaces with NDIS as a standard protocol driver, and is able 
to see only the packets that NDIS spits up.
My suspicion is that the virtual NIC implemented by your version of 
VMware implements manual loopback (this is an option for NIC drivers, 
and most drivers just relay on NDIS for loopback), and then doesn't loop

the packets transmitted by TCP/IP to the other protocol drivers.

I wrote "your version of VMware" because I used vmware quite a lot in 
the past and I never noticed the problem you mention. What's your 
configuration? Are you running Ethereal inside the virtual machine or on

the host machine?

Loris


Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) wrote:
> (I sent this about an hour ago, but it seemed to get bounced due to an

> attached screen shot, so I'm trying again.  <I'm new - be gentle J>
> 
> * *
> 
> *PROBLEM DESCRIPTION*
> 
> I ran Ethereal (0.10.13) on a machine ("the capture box"), to capture 
> traffic between it and another machine.  When I inspected the
resultant 
> trace file, I saw that there were packets missing on the sender
(capture 
> box) side.  In other words, the missing packets were not packets 
> expected to arrive from across the network, but were packets that the 
> capture box was to send!  That was something I had never seen before.

> How could packets get lost before you even send them?
> 
>  
> 
> So I looked at the NIC on the capture box, and I saw that it was a:  
> "VMware virtual ethernet interface".
> 
>  
> 
> I talked with a colleague who knows much more about VMware than I, and

> he informed me that VMware uses a "virtual" NIC that sits between the 
> virtual machine and the "real" NIC.
> 
>  
> 
> Bottom line:  I'm assuming at this point that the strange behavior I'm

> seeing is due to this *VMware virtual NIC and/or how WinPcap interacts

> with it*.
> 
>  
> 
> Can anyone confirm this, and/or provide suggestions or pointers for 
> working around it?
> 
>  
> 
> *VERSION INFO*
> 
> Ethereal 0.10.13
> 
> WinPcap 3.1(packet.dll 3, 1, 0, 27) based on libpcap version 0.9[.x]
on 
> Windows 2000 Service Pack 4, build 2195)
> 
>  
> 
> Thx,
> 
> Michael Feeny
> 
> Merrill Lynch
> 
>
------------------------------------------------------------------------
> If you are not an intended recipient of this e-mail, please notify the

> sender, delete it and do not read, act upon, print, disclose, copy, 
> retain or redistribute it. Click here 
> <http://www.ml.com/email_terms/>for important additional terms
relating 
> to this e-mail.     http://www.ml.com/email_terms/
>
------------------------------------------------------------------------
> 
> 
>
------------------------------------------------------------------------
> 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
--------------------------------------------------------

If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.     http://www.ml.com/email_terms/
--------------------------------------------------------

More information about the Winpcap-users mailing list