Wireshark-dev: Re: [Wireshark-dev] Promiscouos mode and pseudo-device
From: Mark Ryden <markryde@xxxxxxxxx>
Date: Mon, 17 Aug 2009 15:12:30 +0300
Guy,
Thanks a lot for your answer !

This cause me to ask myself: why, in fact, do we need  the "any" pseudo-device
when sniffing in Linux ? Is there any information that we can get with
the "any" pseudo-device when sniffing, that we can't get without it?

Regards,
Mark


On Thu, Aug 13, 2009 at 3:35 PM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
>
> On Aug 13, 2009, at 2:44 AM, Mark Ryden wrote:
>
>>  I had noticed that when running tshark in Pseudo-device mode (tshark
>> -i any), the
>> machine does not enter promiscuos mode, whereas in the usual case,
>> such as
>> thsark -i eth0 (or without "-i" option at all), it does enter
>> promiscuos mode.
>> (I tested it on Linux).
>
> There is no notion at the hardware level of a machine being in
> promiscuous mode; there is only a notion, for devices on "broadcast"
> networks such as Ethernet, of a network adapter being in promiscuous
> mode.  Neither Linux nor any other OS I know of have any notion of a
> machine being in promiscuous mode, either, just of a device being in
> that mode.
>
>> I would appreciate if somebody can explain in few sentences why is
>> it so.
>
> It's because libpcap implements the "any" pseudo-device on Linux by
> creating a PF_PACKET socket but not binding it to a particular
> device.  (On other platforms, it's not implemented at all.)  The Linux
> socket calls to turn promiscuous mode on don't work on sockets such as
> that - the kernel rejects them rather than setting promiscuous mode on
> all devices in the system.
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>