I might be wrong, but I don't think many OSes and network cards do provide
corrupted packets (wrong FCS or link layer errors) even when put into
promiscuous mode. This is because usually the MAC chip on the cards discards
them without even moving them to host memory (for performance reasons).
Also, consider that one of the issues is that newer network cards perform a
lot of processing (TCP offloading, or checksum computation, just to name two
of them) directly in hardware. Capturing the packets that actually get
transmitted on the network is much harder in this case, as the OS (hence
WinPcap) sees the packets that are sent from host to the network card, not
the packets that actually get transmitted.
Hope it helps
GV
----- Original Message -----
From: <Randy.Grein@xxxxxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, June 29, 2007 8:03 AM
Subject: Re: [Wireshark-users] Newbie question about capture point
Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the
Windows protocol analyzer problems. NDIS never did fully specify a
promiscuous mode, so it's left up to the vendor who writes the driver.
Card vendors supply some promiscuous functionality, but AFAIK none pass on
all error packets. So you may see packets destined for other hosts,
broadcasts, etc. but you may not see runts or giants. You may not see
framing errors. Some, like the older 3Com (I'm not sure if they still do)
filter all errors in hardware, so you won't even see ethernet collisions
in a hub environment - but in that case it doesn't matter what the drivers
do, and you're stuck in any OS. Some commercial protocol analyzer vendors
supply a custom driver for a few cards, or even a custom card and driver
that will capture all error packets.
Randy Grein
Network Engineer
"Gajan Nadarajan" <gajannada@xxxxxxxxx>
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx
06/28/2007 11:25 AM
Please respond to
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
To
wireshark-users@xxxxxxxxxxxxx
cc
Subject
[Wireshark-users] Newbie question about capture point
Hello,
I am new to wireshark and was wonder where exactly does wireshark capture
eth packets or frames on the windows stack( or somwhere on NDIS)?
Would it be before it reaches the driver?
Thank you._______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
- -------------------------
CONFIDENTIALITY NOTICE: The information in this message may be proprietary
and/or confidential, and is intended only for the use of the individual(s)
to whom this email is addressed. If you are not the intended recipient,
you are hereby notified that any use, dissemination, distribution or
copying of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by replying to
this email and deleting this email from your computer. Nothing contained
in this email or any attachment shall satisfy the requirements for
contract formation or constitute an electronic signature.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
