Wireshark-users: Re: [Wireshark-users] Newbie question about capture point
Date: Fri, 29 Jun 2007 09:18:35 -0700
I haven't kept up on all aspects of current cards, but this was not the case historically - with the exception of 3Com, who has been blocking datalink errors for years.I haven't kept current with the last generation or so, about when gigabit became common. When I looked into TOE cards a few years ago the TOE feature could be disabled (one issue was ENABLING it for some OSes!); IIRC the checksum offloading could be disabled as well. Still, getting to fully promiscuous capture isn't easy - support is required right up the line. If you really need to see all datalink errors these days a hardware analyzer is probably best. Randy Grein Network Engineer "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx> Sent by: wireshark-users-bounces@xxxxxxxxxxxxx 06/29/2007 08:51 AM Please respond to Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> To "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> cc Subject Re: [Wireshark-users] Newbie question about capture point I might be wrong, but I don't think many OSes and network cards do provide corrupted packets (wrong FCS or link layer errors) even when put into promiscuous mode. This is because usually the MAC chip on the cards discards them without even moving them to host memory (for performance reasons). Also, consider that one of the issues is that newer network cards perform a lot of processing (TCP offloading, or checksum computation, just to name two of them) directly in hardware. Capturing the packets that actually get transmitted on the network is much harder in this case, as the OS (hence WinPcap) sees the packets that are sent from host to the network card, not the packets that actually get transmitted. Hope it helps GV ----- Original Message ----- From: <Randy.Grein@xxxxxxxxxxxxxx> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Sent: Friday, June 29, 2007 8:03 AM Subject: Re: [Wireshark-users] Newbie question about capture point > Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the > Windows protocol analyzer problems. NDIS never did fully specify a > promiscuous mode, so it's left up to the vendor who writes the driver. > Card vendors supply some promiscuous functionality, but AFAIK none pass on > all error packets. So you may see packets destined for other hosts, > broadcasts, etc. but you may not see runts or giants. You may not see > framing errors. Some, like the older 3Com (I'm not sure if they still do) > filter all errors in hardware, so you won't even see ethernet collisions > in a hub environment - but in that case it doesn't matter what the drivers > do, and you're stuck in any OS. Some commercial protocol analyzer vendors > supply a custom driver for a few cards, or even a custom card and driver > that will capture all error packets. > > > Randy Grein > Network Engineer > > > > "Gajan Nadarajan" <gajannada@xxxxxxxxx> > Sent by: wireshark-users-bounces@xxxxxxxxxxxxx > 06/28/2007 11:25 AM > Please respond to > Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> > > > To > wireshark-users@xxxxxxxxxxxxx > cc > > Subject > [Wireshark-users] Newbie question about capture point > > > > > > > Hello, > > I am new to wireshark and was wonder where exactly does wireshark capture > eth packets or frames on the windows stack( or somwhere on NDIS)? > > Would it be before it reaches the driver? > > Thank you._______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > - ------------------------- > > CONFIDENTIALITY NOTICE: The information in this message may be proprietary > and/or confidential, and is intended only for the use of the individual(s) > to whom this email is addressed. If you are not the intended recipient, > you are hereby notified that any use, dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this communication in error, please notify us immediately by replying to > this email and deleting this email from your computer. Nothing contained > in this email or any attachment shall satisfy the requirements for > contract formation or constitute an electronic signature. > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users - ------------------------- CONFIDENTIALITY NOTICE: The information in this message may be proprietary and/or confidential, and is intended only for the use of the individual(s) to whom this email is addressed. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this email and deleting this email from your computer. Nothing contained in this email or any attachment shall satisfy the requirements for contract formation or constitute an electronic signature.
- References:
- Re: [Wireshark-users] Newbie question about capture point
- From: Gianluca Varenni
- Re: [Wireshark-users] Newbie question about capture point
- Prev by Date: Re: [Wireshark-users] Newbie question about capture point
- Next by Date: [Wireshark-users] Wireshark 0.99.6pre2 is now available
- Previous by thread: Re: [Wireshark-users] Newbie question about capture point
- Next by thread: [Wireshark-users] Limit _certain_ packets to 67 bytes?
- Index(es):