Guy,
Thanks a lot for your answer !
This cause me to ask myself: why, in fact, do we need the "any" pseudo-device
when sniffing in Linux ? Is there any information that we can get with
the "any" pseudo-device when sniffing, that we can't get without it?
Regards,
Mark
On Thu, Aug 13, 2009 at 3:35 PM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
>
> On Aug 13, 2009, at 2:44 AM, Mark Ryden wrote:
>
>> I had noticed that when running tshark in Pseudo-device mode (tshark
>> -i any), the
>> machine does not enter promiscuos mode, whereas in the usual case,
>> such as
>> thsark -i eth0 (or without "-i" option at all), it does enter
>> promiscuos mode.
>> (I tested it on Linux).
>
> There is no notion at the hardware level of a machine being in
> promiscuous mode; there is only a notion, for devices on "broadcast"
> networks such as Ethernet, of a network adapter being in promiscuous
> mode. Neither Linux nor any other OS I know of have any notion of a
> machine being in promiscuous mode, either, just of a device being in
> that mode.
>
>> I would appreciate if somebody can explain in few sentences why is
>> it so.
>
> It's because libpcap implements the "any" pseudo-device on Linux by
> creating a PF_PACKET socket but not binding it to a particular
> device. (On other platforms, it's not implemented at all.) The Linux
> socket calls to turn promiscuous mode on don't work on sockets such as
> that - the kernel rejects them rather than setting promiscuous mode on
> all devices in the system.
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>