Ethereal-users: Re: [Ethereal-users] Short frames

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 17 Jul 2001 15:23:59 -0700 (PDT)
> When I try to track traffic around the LAN with Ethereal, the packets to 
> and from my machine appear fully formed, but all other packets appear as 
> [Short Frame] -- to and from addresses and the type field, and nothing 
> else.  I assume this is because my packet driver is not properly in 
> promiscuous mode.

Or, rather, that some part of the data path for promiscuous mode, from
the card up through its driver through the OS's networking code and the
WinPcap code, is not properly handling promiscuous-mode packets.

I would bet on the problem in the path *not* being in the networking
code or the WinPcap code, as I suspect that's worked successfully on
other systems.

You might ask winpcap@xxxxxxxxxxxxxxxxxxxxxxx about this, as it's
probably not an Ethereal issue - Ethereal just asks libpcap/WinPcap to
do the capturing for it - although you might experiment with WinDump,
which is tcpdump ported to Windows:

	http://netgroup-serv.polito.it/windump/

to see if it does a better job.  (It probably won't, in which case the
problem is, indeed, not an Ethereal problem.)

> My first question: is that right?  From reading the questions of others who 
> have problems with promiscuous mode, it seems they do not see any other 
> traffic at all.

There were bugs in 0.8.18 that meant that

	1) Ethereal defaulted to non-promiscuous mode in captures,
	   unless the preferences file specified otherwise;

	2) even if you selected promiscuous mode in the dialog box,
	   "Update list of packets in real time" captures wouldn't
	   happen in promiscuous mode unless the preferences file
	   specified promiscuous mode as the default;

which were the source of some of the questions.  Those bugs are fixed in
0.8.19 (although if the preferences file specifies non-promiscuous mode,
it'll still default to that - to change the preferences file, do a
promiscuous-mode capture, and then save the preferences from the dialog
box that "Edit->Preferences" pops up).

Those bugs wouldn't cause the symptoms you're seeing, as you *are*
seeing foreign packets, they're just getting everything past the
Ethernet header removed.

There are also problems on switched networks; in addition, some network
cards don't support promiscuous mode at all, and, even for cards that
do, the drivers for them on some OSes might not support promiscuous
mode.  However, those problems will also not cause the symptoms you're
seeing.

> The card supports promiscuous mode, though I cannot be sure that the driver 
> does (how could I tell?).

Ask the supplier of the driver (either Microsoft or the supplier of the
network interface device).