Ethereal-users: Re: [Ethereal-users] Ethereal 0.8.18 question...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: root <eth@xxxxxxxxxx>
Date: Sat, 09 Jun 2001 10:40:52 +0300
Guy Harris wrote:

> > I'm using ethreal 0.8.18 on a Red Hat 7.1 system with a libpcap 0.4-39;
> > well, I can grep only packets to/ from the machine I'm on and
> > broadcasts; the NIC is a D-link 500TX ; I'm connected to a 10M hub.
>
> Switching hub, or non-switching hub?

Plain old 10M hub, the cheapest one! Let me put it this way: long ago when
Red Hat was 6.1 I used tcpdump on the same computer with the same NIC which
captured all the packets in that hub... that's how I learned to use the
"host" parameter in tcpdump :-)
After that I never needed packet dump until now when someone pointed me to
ethereal. To my wonder neither tcpdump or ethreal can make a successfull
dump...

> If it's a switching hub, even if
> the card *is* in promiscuous mode, it won't see traffic other than
> traffic that the host directs towards its port on the hub, which will
> probably be only unicast traffic to that host or broadcast/multicast
> traffic.

No, I'm not that lucky... I'm not even sure that the card can be put in
promiscous mode with this kernel / configuration, just doesn't make sense;
maybe I need to "echo 1 >" to some /proc/sys stuff... or even better, I
forgot to check smth in the kernel compilation; yet the machine works
flawless on the network...


On more thing: the terminal from which I start ethreal reads (after the dump
attempt)
"Kernel filter, protocol ALL,  raw packet socket".
Just to answer your question in advance, an "iptables -L" gives me ACCEPT on
all chains...