Wireshark mailing list archives

Re: Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor)

From: Guy Harris <guy () alum mit edu>
Date: Sun, 4 Mar 2012 11:40:47 -0800


On Mar 3, 2012, at 10:56 PM, Krishnamurthy Mayya wrote:

And ya, the final question i did not make it very clear. Hardware dependencies in the sense that kind of device 
drivers ar network adapetrs (NICs) a sustem has. I done really know whether the packet capturing softwares have 
anything to do with these hardware modules. So, wanted to understand.


Well, a driver is a software module, not a hardware module, but:

        with the NDIS 5-based WinPcap, the driver for a Wi-Fi adapter will govern what happens in promiscuous mode - 
will it be able to go into promiscuous mode, and will it capture any traffic if it does (I'm not sure whether any 
drivers support it);

        with the NDIS 6-based mechanism NetMon uses on Windows Vista and later, the driver for a Wi-Fi adapter will 
govern whether monitor mode is supported - if the driver is an NDIS 6 driver that supports Native Wi-Fi *including* 
monitor mode, you will be able to capture in monitor mode with NetMon, otherwise not.

If monitor or promiscuous mode doesn't work, you will probably be able to capture, on a Wi-Fi adapter with promiscuous 
mode turned off, traffic sent by and received by the machine running {WinDump, Wireshark} or NetMon, but that's it.

As for non-Wi-Fi network adapters:

        most if not all Ethernet drivers should support promiscuous mode (but that would also require a network tap or 
"port mirroring" or something such as that on a switched network);

        if you're on an Ethernet network with VLANs, the driver and adapter might have to be configured to show you 
VLAN tags if you want to capture traffic and see the VLAN tags (which would, I think, be the same with WinPcap and with 
NetMon).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Frame comments in Microsoft Network Monitor Guy Harris (Mar 02)
- Re: Frame comments in Microsoft Network Monitor Krishnamurthy Mayya (Mar 03)
  - Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor) Guy Harris (Mar 03)
    - Re: Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor) Krishnamurthy Mayya (Mar 03)
    - Re: Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor) Guy Harris (Mar 04)