Wireshark-users: Re: [Wireshark-users] tcpdump/wireshark don't see my ethernet card
From: "Jim McNamara" <jim.mcnamara@xxxxxxxxx>
Date: Wed, 30 Apr 2008 20:34:57 -0400


On Wed, Apr 30, 2008 at 5:37 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Apr 28, 2008, at 3:47 PM, Jim McNamara wrote:

Hello all. I've taken some time to search your list archives, and didn't easily find what I was looking for. I have a brand new HP dv9820us laptop. The ethernet card is built in, and the whole motherboard has the nvidia chipset. I'm running Debian Sid with the 2.6.24-1 kernel which was part of the default Debian install. The installer found the ethernet card without issue, and correctly inserts the 'forcedeth' module to use it. The card works fine for generic activities like wired internet access, but neither the tcpdump software nor wireshark sees the card as a possible interface.

...which means this isn't a Wireshark issue, it's either a libpcap issue or a Linux issue.
I forgot to include the libpcap info - here it is:

jim@jimslaptop:~$ dpkg --list|grep libpcap
ii  libpcap0.7                           0.7.2-9                          System interface for user-level packet captu
ii  libpcap0.8                           0.9.8-3                          system interface for user-level packet captu
ii  libpcap0.8-dev                       0.9.8-3                          development library and header files for lib



tcpdump:
jimslaptop:/home/jim# tcpdump -ieth0
tcpdump: bind: Network is down

wireshark (as root):
The capture session could not be initiated (bind: Network is down).

Linux issue.

Does "ifconfig eth0" report that the interface is up?

jim@jimslaptop:~$ /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:1e:68:2f:f8:1b
          inet addr:192.168.68.118  Bcast:192.168.68.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:68ff:fe2f:f81b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13990 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16263328 (15.5 MiB)  TX bytes:1227641 (1.1 MiB)
          Interrupt:252 Base address:0x6000
 


If so, this is some mysterious Linux networking stack weirdness wherein said networking stack is using a definition of "down" with which I was not previously acquainted.

If not, presumably you have to configure the interface "up" before you can capture on it.

Debian Sid had a new version of wireshark hit the repositories between when I posted and when you replied. I didn't notice any difference in the libpcap or tcpdump files, but I did see a new version of wireshark being installed. Now wireshark works, and so does tcpdump.

Sorry to have wasted this list's time with something that was completely outside your control.

Peace and Thanks,
Jim