Ethereal-users: Re: [Ethereal-users] What does it mean to "Capture" packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 27 Aug 2004 12:48:02 -0700
ronnie sahlberg wrote:


One of many many ways to spot such a NIC is trying to ping your host but sending
the ping to a dummy/fake MAC address.
If your NIC is in promisc mode  it will be passed through the NIC and
your network stack will respond to the ping.
...only if the driver supplies promiscuously-received packets to the network stack and they're supplied in such a way that the packet isn't marked as "promiscuously received" or the code in the stack above it doesn't ignore packets so marked.
I think that many BSD drivers supply those packets to BPF but not to the regular networking stack. On Windows, a particular NDIS attachment can set a filter to indicate what packets it wants to see - IP probably sets a filter saying "just show me packets that this machine is supposed to see", so that promiscuously-received packets shouldn't be handed to IP over that attachments. I think Linux might have a similar mechanism.