[Winpcap-users] Problems with promiscuous mode
Gianluca Varenni
gianluca.varenni at gmail.com
Fri Sep 23 06:34:17 GMT 2005
Hi Victor.
The right syntax to list the adapters with Windump is "windump -D" (D capital letter).
Moreover, there is no way to see if the adapter is actually in promiscuous mode or not. More precisely, WinPcap forwards the request to the underlying miniport driver of the network card (and reports the error code given by the underlying driver). So if the call fails, the network card driver should return an error (and therefore WinPcap). I know that there are some tools (based on winpcap) that are able to detect in another host has a network card in promiscuous mode, you can maybe try one of them.
One of them is promiscan, a free version is available here
http://www.securityfriday.com/products/promiscan.html
Which network board are you using (brand, model)?
A stupid question: you say that one of your peers is able to capture all the SPANned traffic. Did you connect your machine on the same SPANned port of the switch (if I remember well, you can only configure one port of the switch as a SPAN port, correct me if I'm wrong).
Have a nice day
GV
----- Original Message -----
From: Buendia, Victor
To: winpcap-users at winpcap.org
Sent: Thursday, September 22, 2005 6:23 PM
Subject: [Winpcap-users] Problems with promiscuous mode
I am using Ethereal and is not working properly. I am only seeing my own traffic.
I am trying to sniff a Cisco Switch port and I'm SPANing the destination port properly.
I have tested the SPAN switch configuration with one of my peers and he can see the traffic with Ethereal just fine (he has the same hardware I do).
I tried different versions of Ethereal and WinPcap but the problem still persists.
I wonder if there's any way to see if WinPcap is ordering my Ethernet port to be on a promiscuous mode properly.
Based on the FAQ page, I have obtained the following information:
***Is NFP running?
When running msinfo32, I see that NPF has been started and the state is running.
***What adapters is windump seeing?
When running windump -d, I don't see my Ethernet nor my wireless drives, I only see something that looks like a Dial Up adapter, here is the command's output:
D:\Program Files\windump-3.8.3beta-win32-ipv6>windump -d
windump: listening on \Device\NPF_GenericDialupAdapter
(000) ret #96
D:\Program Files\windump-3.8.3beta-win32-ipv6>
I don't know what else to check, I was thinking about looking at the PGPnet state, I would hope this is running but how should I check it?
Any help will be very much appreciated.
-Victor.
------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20050922/2d8cc339/attachment.htm
More information about the Winpcap-users
mailing list