Wireshark · Ethereal-users: Re: [Ethereal-users] NT4 reads tr packets as ethernet II

Ethereal-users: Re: [Ethereal-users] NT4 reads tr packets as ethernet II

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Mon, 2 Apr 2001 16:08:08 -0700 (PDT)

> > I have just tried windump 2.1 on a Win NT4 SP6a box with a Madge TR PCI BM
> > card.
> > The PC is attached to a 3com hub - not a switch.
> > I fed the output file to ethereal 0,8,14 (capture version).
> >
> > 1. ethereal recognised the packets as TR.
> > 2. windump only captured traffic headed to my PC, not the outbound
> > traffic.
> >
> > Questions
> >
> > 1. Does the Madge support promiscuous mode, or did I have to do
> > something to NT get the card into promiscuous mode, or did I have to set
> > some flag on the windump command to put it in promiscuous mode?
> 
> No idea. Someone told me that some TR adapters don't support promisquous
> mode at all, but I've never used one in my life...

Hmm.  An AltaVista search for

	"token ring" NEAR promiscuous NEAR madge

found

	http://support.microsoft.com/support/kb/articles/q140/7/12.asp

"How to Enable Promiscuous Mode for Madge Token Ring Adapter", which
indicates that you have to enable "Statistics Gathering" on Madge cards,
from the "Network" item in the Control Panel, to support promiscuous
mode.

Another page I found said the same thing.

On the other hand:

	http://www.bachert.de/madge/products/adaptercards/prestopci.htm

says that Madge's Presto Plus Token Ring card has "Non Promiscuous
Drivers" so that "under no circumstances can a station equipped with a
Presto Plus interrogate sensitive network traffic".

The page at

	http://ftp.nuri.net/pub/winsock-l/Windows95/Diagnostic/w95demo.txt

has some notes about Token Ring cards saying:

	Running NetXRay requires that you setup your Token Ring Adapter
	into promiscuous first.  Contact your NIC vendor if you are not
	sure about its support for promiscuous mode.

	Currently, Madge, Olicom, Intel TokenExpress and Thomas Conrad
	cards are tested.

	Note: Adapters not supported: IBM 16/4 Token Ring card and NIC
	card using IBM or National's Tropic chip set.

[Note: in another FAQ, it says the cards in the "Adapters not supported"
list don't support promiscuous mode.]

	2.1 Set up Madge Token Ring Adapters
	First, you must installed the version 4.3(1) of the miniport
	driver from Madge.  If not please contact Madge technical
	support.

	Madge Token Ring Ringnodes
	        * to enable promiscuous, you need to open network icon,
		Select Madge adapter,
	        (Win95) From the property page, change "GATHER NETWORK STATS"
		value to "yes"
	        (WinNT) Click Configure, change "GATHER NETWORK STATS" value to
		"yes"

	However, if you received the latest version 4.3(2) of the
	miniport driver from Madge, the "GATHER NETWORK STATS" option
	has been deleted from the driver's .INF files.  Therefore, you
	can not setup the Token Ring promiscuous mode properly, and will
	cause NetXRay to hang.

[This sounds like "Non Promiscuous Drivers" to me.]

	To get a new NETMADGE.INF (for Win 95) or OEMSETUP.INF (for Win
	NT), you need to contact Madge technical support, or access to
	the Cinco's FTP server to download the latest Madge miniport
	driver file MADGE.ZIP.  The location of this file on Cinco FTP
	server is `/ftp.cinco.com/users/cinco/release/1.1/patch'.

[Note: Cinco were bought by Network Associates, and NetXRay was replaced
by Windows versions of the Sniffer software.]

	2.2 Set up Olicom Token Ring or Intel TokenExpress Adapters

	Olicom Token Ring Adapters

	Some earlier versions of the Olicom NDIS 3.1 driver may not
	support receiving all MAC level packets when set by NetXRay in
	promiscuous mode.

	If you experience this problem, you can set a special flag in
	NetXRay.INI located under Windows 95 directory.  This will tell
	NetXRay to use non-standard method to force Olicom driver to
	enable receiving all MAC frames:

	1.      Invoke the DOS box
	2.      Change directory to Windows 95 directory (typically named as
		WIN95)
	3.      Edit NETXRAY.INI
	4.      Search for the [NetworkAdapter] section
	5.      Add TRingMacFlag=1 below the section header. DO NOT add this
		flag if you are using other manufacturer's Token Ring NIC.
	6.      Save the file and exit.

	Intel Token Express Adapters

	Intel Token Express card is a private label version of the
	Olicom card.  Use the same set up as described above.

On the other hand:

	http://support.microsoft.com/support/kb/articles/q200/3/39.asp

"Promiscuous Mode Madge Token Ring NIC Can Halt Mainframe Connection",
so if you're talking to IBM mainframe hosts on your Token Ring LAN, be
careful....

References:
- Re: [Ethereal-users] NT4 reads tr packets as ethernet II
  - From: Loris Degioanni

Prev by Date: Re: [Ethereal-users] Using eteareal on host machine configured as abridge
Next by Date: [Ethereal-users] Ethereal on Windows platform
Previous by thread: Re: [Ethereal-users] NT4 reads tr packets as ethernet II
Next by thread: [Ethereal-users] ethereal and FREEBSD
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$