[Winpcap-users] Problems with promiscuous mode

Buendia, Victor victor.buendia at berbee.com
Fri Sep 23 13:05:27 GMT 2005


Yeah, the syntax makes all the difference, here is the new output:

 

D:\Program Files\windump-3.8.3beta-win32-ipv6>WinDump -D

1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)

2.\Device\NPF_{6B4FA49D-0DE0-46A6-A27C-91DEE96304E3} (Intel(R) PRO/1000
MT Mobile Connection (Microsoft's Packet Scheduler) )

3.\Device\NPF_{62C879A1-1F45-4E60-A4AD-4F7B0306E2D5} (Cisco Systems VPN
Adapter (Microsoft's Packet Scheduler) )

4.\Device\NPF_{350C0BBB-5D73-4A02-8113-CDFE92B16D28} (Intel(R)
PRO/Wireless 2200BG Network Connection (Microsoft's Packet Scheduler) )

 

Here are the drivers I have running on the Ethernet1000 and wireless
cards:

 

Intel(R) PRO/1000 MT Mobile (NDIS 5.1), Version: 7.2.17.101

Intel(R) PRO/Wireless 2200BG Network, Version: 9001-21 Driver

 

About SPANing in Cisco routers, you can sniff as much as 66 ports or
sets of ports or VLANs, depending on the model you are working with, of
course every time you SPAN an item, you are duplicating this traffic
within the box, so the more monitoring sessions you add, the more risk
is generated for the box. I have seen as much as 4 sessions running
parallel in a small switch with heavy traffic and the switch is able to
keep on working without any problem.

And yes, we were testing the same port.

 

________________________________

From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: Friday, September 23, 2005 2:34 AM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Problems with promiscuous mode

 

Hi Victor.

 

The right syntax to list the adapters with Windump is "windump -D" (D
capital letter).

Moreover, there is no way to see if the adapter is actually in
promiscuous mode or not. More precisely, WinPcap forwards the request to
the underlying miniport driver of the network card (and reports the
error code given by the underlying driver). So if the call fails, the
network card driver should return an error (and therefore WinPcap). I
know that there are some tools (based on winpcap) that are able to
detect in another host has a network card in promiscuous mode, you can
maybe try one of them.

 

One of them is promiscan, a free version is available here 

 

http://www.securityfriday.com/products/promiscan.html

 

Which network board are you using (brand, model)? 

 

A stupid question: you say that one of your peers is able to capture all
the SPANned traffic. Did you connect your machine on the same SPANned
port of the switch (if I remember well, you can only configure one port
of the switch as a SPAN port, correct me if I'm wrong).

 

Have a nice day

GV

 

 

 

 

----- Original Message ----- 

	From: Buendia, Victor <mailto:victor.buendia at berbee.com>  

	To: winpcap-users at winpcap.org 

	Sent: Thursday, September 22, 2005 6:23 PM

	Subject: [Winpcap-users] Problems with promiscuous mode

	 

	I am using Ethereal and is not working properly. I am only
seeing my own traffic.

	I am trying to sniff a Cisco Switch port and I'm SPANing the
destination port properly.

	I have tested the SPAN switch configuration with one of my peers
and he can see the traffic with Ethereal just fine (he has the same
hardware I do).

	I tried different versions of Ethereal and WinPcap but the
problem still persists.

	I wonder if there's any way to see if WinPcap is ordering my
Ethernet port to be on a promiscuous mode properly.

	Based on the FAQ page, I have obtained the following
information:

	 

	***Is NFP running?

	When running msinfo32, I see that NPF has been started and the
state is running.

	 

	***What adapters is windump seeing?

	When running windump -d, I don't see my Ethernet nor my wireless
drives, I only see something that looks like a Dial Up adapter, here is
the command's output:

	 

	D:\Program Files\windump-3.8.3beta-win32-ipv6>windump -d

	windump: listening on \Device\NPF_GenericDialupAdapter

	(000) ret      #96

	 

	D:\Program Files\windump-3.8.3beta-win32-ipv6>

	 

	 

	 

	I don't know what else to check, I was thinking about looking at
the PGPnet state, I would hope this is running but how should I check
it?

	 

	 

	Any help will be very much appreciated.

	 

	-Victor.

	
________________________________


	_______________________________________________
	Winpcap-users mailing list
	Winpcap-users at winpcap.org
	https://www.winpcap.org/mailman/listinfo/winpcap-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20050923/60d17b5e/attachment.htm


More information about the Winpcap-users mailing list