[Winpcap-users] use of winpcap with PLC net

Guy Harris guy at alum.mit.edu
Fri Jan 25 06:11:52 GMT 2008 

Jean-Luc Pamart wrote:

> I have a home net with :
> 
> 2 windows PC1 and PC2 (with winpcap and wireshark)
> 1 linux Arm PC3 (with libpcap and snort)
> 1 Modem-router xDSL : M
> 
> they are connected on a PLC ( Intellon INT51X1 (14 bps))

(Presumably you mean "14 Mbps" - or "14 Mops", if you prefer. :-))

The INT51X1 is just a chipset:

	http://www.intellon.com/products/homeplug/int51x1.php

and they say it "provides three types of host interface for maximum 
system flexibility:

	o A USB1.1 device interface for connection to a USB host
	o An MII PHY (IEEE 802.3u) / GPSI interface for interconnection to 
microcontrollers or Ethernet controllers
	o An MII Host / DTE interface (IEEE 802.3u) for direct connection to an 
Ethernet PHY"

> like this :
> 
> PC1          PC2            PC3
> eth               eth              eth
> eth/PLC      eth/PLC      eth/PLC
> ====================== M ====Internet

So I assume that's something such as

	PC1		PC2		PC3		 M
	eth		eth		eth		eth
	 ^		 ^		 ^		 ^
	 |		 |		 |		 |
	 v		 v		 v		 v
	eth/PLC		eth/PLC		eth/PLC		eth/PLC
	   ^		   ^		   ^		   ^
	   |		   |		   |		   |
	======================================================
			(your home electrical wiring)

I.e., you have, for each PC, and for the modem, a device with an INT51X1 
in it, which bridges between Ethernet and HomePlug, with each of those 
device's Ethernet interface plugged into a bridge device.  (Or is there 
a single device that has multiple Ethernet interfaces, into which 
several of the machines are plugged, with one connection to your home 
electrical wiring?)

Or does the modem directly connect to your home electrical wiring with 
HomePlug?  Do the PC's have an MII/GMII plug that directly connects to 
the INT51X1?

> My problem : I don't see (with snort or wireshark) any traffic to and 
> from foreign machines ...
> I see broadcast messages, messages to and from the sniffer PC but 
> nothing else

If the network is as I described, with an Ethernet cable between each PC 
and an Ethernet-to-HomePlug gateway, then, if the Ethernet adapter on 
the PC is in promiscuous mode, that only means that it'll capture all 
traffic on that Ethernet; if the Ethernet-to-HomePlug bridge doesn't 
itself pass traffic not intended for the host onto that Ethernet, you 
won't be able to see that traffic, and there's no signal that goes over 
an Ethernet to indicate that one of the hosts on the Ethernet has gone 
into promiscuous mode, so the bridge doesn't know that it *should* pass 
that traffic onto the Ethernet.

Searching for

	HomePlug promiscuous

in Google found

	https://neon1.net/prog/plconfig.html

which indicates that at least some powerline bridges can be put into 
promiscuous mode.  I don't know whether that program will work on your 
bridges.  There might be other tools for putting your bridge into 
promiscuous mode; I assume you're running Windows on the machine on 
which you're trying to capture traffic (because you asked the 
winpcap-users mailing list), so there might be a tool that came with 
your bridges that lets you put a bridge into promiscuous mode.

> (yes I know : it's a very common problem) but after days of research :
> 
> - PLC net is bus like
> - at least my linux ethernet card pass to promiscuous mode (dmesg : eth0 
> promiscuous ...)

...and if you're running Linux on that machine, there might be another 
tool (it sounds as if plconfig directly uses BPF, so, unless it's been 
ported, it won't work on Linux, but other tools might exist).

More information about the Winpcap-users mailing list