Ethereal

I installed Winpcap and Ethereal on a WinXP machine but no packets are
captured. I am running it with no filtering. Can anyone suggest anything
I could do or try or any diagnostics that might be useful?

I run this software under Win2k with no such problems.

Thanks.

Tony

"Anthony R. Gold" wrote in message ...
> I installed Winpcap and Ethereal on a WinXP machine but no packets
are
> captured. I am running it with no filtering. Can anyone suggest
anything
> I could do or try or any diagnostics that might be useful?
>
> I run this software under Win2k with no such problems.
>
> Thanks.
>
> Tony

I have run ethereal on XP pro. I you are trying to use it in
promiscouous mode using
wireless it wont work unless you have an rfmon capable driver. In
non-promiscuous mode
it will just capture its own packets.

On Sun, 9 Jan 2005 08:22:12 -0600, "Airhead" <(E-Mail Removed)>
wrote:

> I have run ethereal on XP pro. I you are trying to use it in
> promiscouous mode using
> wireless it wont work unless you have an rfmon capable driver. In
> non-promiscuous mode
> it will just capture its own packets.

Many thanks, the program starts with the promiscuous default and I never
thought to change that. Now I'm getting my own packets and also all the
LAN's ARPs.

I believe I'm using the same drivers as on the Win2k machine where there
Ethereal shows me everything happening on the LAN. What a puzzle!

Thanks again.

Tony

When we used it at work last year we had to set the default speed of the
connection at 10m not 100m. Then it worked fine.

Dave

Anthony R. Gold wrote:
> On Sun, 9 Jan 2005 08:22:12 -0600, "Airhead" <(E-Mail Removed)>
> wrote:
>
>
>>I have run ethereal on XP pro. I you are trying to use it in
>>promiscouous mode using
>>wireless it wont work unless you have an rfmon capable driver. In
>>non-promiscuous mode
>>it will just capture its own packets.
>
>
> Many thanks, the program starts with the promiscuous default and I never
> thought to change that. Now I'm getting my own packets and also all the
> LAN's ARPs.
>
> I believe I'm using the same drivers as on the Win2k machine where there
> Ethereal shows me everything happening on the LAN. What a puzzle!
>
> Thanks again.
>
> Tony

On Sun, 09 Jan 2005 09:28:56 -0600, (E-Mail Removed) wrote:

> When we used it at work last year we had to set the default speed of the
> connection at 10m not 100m. Then it worked fine.

Thanks but I'm using an 11b Wi-Fi card, so that should not be an issue.

Tony

"Anthony R. Gold" <not-for-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 9 Jan 2005 08:22:12 -0600, "Airhead" <(E-Mail Removed)>
> wrote:
>
>> I have run ethereal on XP pro. I you are trying to use it in
>> promiscouous mode using
>> wireless it wont work unless you have an rfmon capable driver. In
>> non-promiscuous mode
>> it will just capture its own packets.
>
> Many thanks, the program starts with the promiscuous default and I never
> thought to change that. Now I'm getting my own packets and also all the
> LAN's ARPs.

As you said, Ethereal starts up with promiscuous mode selected. If you
changed the default setting, you DESELECTED promiscuous. If that's the case,
you can't be receiving 802.11 frames destined for other stations. By
definition, promiscuous mode must be enabled to do that.

You are not seeing 802.11 frames, you are seeing pseudo-Ethernet frames
directed to your own client station only. You will see LAN ARPs, since these
are broadcast frames received by all stations. With promiscuous mode
selected in Ethereal, no frames are trapped at all because promiscuous mode
is entirely unsupported by most vendor drivers for Windows.

AFAIK, you either have to use Linux or BSD, or else filch a driver from a
commercial Windows wifi analyzer package, to get Ethereal to do promiscuous
mode.

>
> I believe I'm using the same drivers as on the Win2k machine where there
> Ethereal shows me everything happening on the LAN. What a puzzle!
>
> Thanks again.
>
> Tony

On Sun, 09 Jan 2005 21:06:30 GMT, "gary" <(E-Mail Removed)>
wrote:

> As you said, Ethereal starts up with promiscuous mode selected. If you
> changed the default setting, you DESELECTED promiscuous. If that's the case,
> you can't be receiving 802.11 frames destined for other stations. By
> definition, promiscuous mode must be enabled to do that.
>
> You are not seeing 802.11 frames, you are seeing pseudo-Ethernet frames
> directed to your own client station only. You will see LAN ARPs, since these
> are broadcast frames received by all stations. With promiscuous mode
> selected in Ethereal, no frames are trapped at all because promiscuous mode
> is entirely unsupported by most vendor drivers for Windows.
>
> AFAIK, you either have to use Linux or BSD, or else filch a driver from a
> commercial Windows wifi analyzer package, to get Ethereal to do promiscuous
> mode.

BINGO! It was indeed a hardware problem and it did not need a change in
OS. The problem was the Centrino wireless card and driver. I disabled
the built-in wi-fi in this Centrino Sony Vaio, plugged in an old trusty
Orinoco Classic PC Card and now see promiscuous mode with all LAN traffic.

Thanks to all for the various suggestions.

Tony

Just curious. Are you saying that the standard Windows driver that came
with your old Orinoco card supports promiscuous mode on Windows XP? If so,
which Orinoco card and which level of driver? So far I have had no luck
finding any standard vendor driver that does promiscuous for Windows, except
those that are bundled into expensive commercial wifi analyzer packages.

"Anthony R. Gold" <not-for-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 09 Jan 2005 21:06:30 GMT, "gary" <(E-Mail Removed)>
> wrote:
>
>> As you said, Ethereal starts up with promiscuous mode selected. If you
>> changed the default setting, you DESELECTED promiscuous. If that's the
>> case,
>> you can't be receiving 802.11 frames destined for other stations. By
>> definition, promiscuous mode must be enabled to do that.
>>
>> You are not seeing 802.11 frames, you are seeing pseudo-Ethernet frames
>> directed to your own client station only. You will see LAN ARPs, since
>> these
>> are broadcast frames received by all stations. With promiscuous mode
>> selected in Ethereal, no frames are trapped at all because promiscuous
>> mode
>> is entirely unsupported by most vendor drivers for Windows.
>>
>> AFAIK, you either have to use Linux or BSD, or else filch a driver from a
>> commercial Windows wifi analyzer package, to get Ethereal to do
>> promiscuous
>> mode.
>
> BINGO! It was indeed a hardware problem and it did not need a change in
> OS. The problem was the Centrino wireless card and driver. I disabled
> the built-in wi-fi in this Centrino Sony Vaio, plugged in an old trusty
> Orinoco Classic PC Card and now see promiscuous mode with all LAN traffic.
>
> Thanks to all for the various suggestions.
>
> Tony

On Mon, 10 Jan 2005 02:41:26 GMT, "gary" <(E-Mail Removed)>
wrote:

> Just curious. Are you saying that the standard Windows driver that came
> with your old Orinoco card supports promiscuous mode on Windows XP? If so,
> which Orinoco card and which level of driver?

Yes, its Lucent's old Orinoco Classic Gold Card which comes with various
brand names on it. I see lots on eBay by searching for "orinoco classic".

As for a driver, this one works fine both with Ethereal in its promiscuous
mode and also with Netstumbler:

http://www.proxim.com/support/all/or...win-sr-02.html

Sorry to hear about your difficulties - until I hit this issue with Sony
and Intel's Centrino chip set I never knew such behaviour was unusual.

Tony