[Wireshark-users] capturing packets in stealth mode on Windows
I need to capture packets between a cable modem and a router for diagnostic purposes. I have inserted a hub between them, so I can attach the Win2K system to it, but I need to avoid having the capturing system inserting packets of its own as it might either mask the problem I am trying to diagnose or create new problems. I have downloaded and installed Wireshark 0.99.4 on a Windows 2000 system. I am able to capture packets on my ethernet interface with the interface enabled and in full operation, but if I disable the interface as I expect I will need to in order to operate stealthy the interface is not available to select for capture in Wireshark. How do I need to configure things to be able to do what I need? Can I define another ethernet interface using the same NIC that has no protocols enabled on it and then swap which one is enabled? Do I need to disable all protocols on the existing interface for the capture and then manually re-enable them when I want to reconnect to the network? Any help appreciated. Dave Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capturing packets in stealth mode on Windows
David Durgee wrote: I have downloaded and installed Wireshark 0.99.4 on a Windows 2000 system. I am able to capture packets on my ethernet interface with the interface enabled and in full operation, but if I disable the interface as I expect I will need to in order to operate stealthy the interface is not available to select for capture in Wireshark. Obviously, if you disable an interface - it's disabled :-) How do I need to configure things to be able to do what I need? Can I define another ethernet interface using the same NIC that has no protocols enabled on it and then swap which one is enabled? Do I need to disable all protocols on the existing interface for the capture and then manually re-enable them when I want to reconnect to the network? Disabling the TCP/IP stack of that interface should be usually enough to keep the interface quiet - however, never tried it myself if it's really quiet then. There are potentially a lot of services running on top of a network interface, some common today are: - TCP/IP (switch this off - this will prevent ARP, DNS, NBNS, ... to get on the network) - VPN (switch this off) - services to capture network traffic (should send no packets) - personal firewall software (should send no packets) Hope this helps, Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capturing packets in stealth mode on Windows
Dave, Under the Network Adapter Properties, under the General Tab, you should see a list of clients/protocols/etc. that use the particular network adapter. For example: Client for Microsoft Networks VMware Bridge Protocol Deterministic Network Enhancer File and Printer Sharing for Microsoft Networks Network Monitor Driver Internet Protocol (TCP/IP) You want to uncheck everything except the Network Monitor Driver - I believe this is what WinPcap is using to monitor the network adapter. You should then be able to silently monitor the network that this particular network adapter is hooked up to. I have tried this and it works for me. That said, if you want a perfect solution, you would have to have to get a switch that can mirror/SPAN ports, or get a network tap, or cut the transmit wires on the patch cord. --Jim -Original Message- From: [EMAIL PROTECTED] [mailto:wireshark-users- [EMAIL PROTECTED] On Behalf Of David Durgee Sent: Saturday, February 03, 2007 9:26 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] capturing packets in stealth mode on Windows I need to capture packets between a cable modem and a router for diagnostic purposes. I have inserted a hub between them, so I can attach the Win2K system to it, but I need to avoid having the capturing system inserting packets of its own as it might either mask the problem I am trying to diagnose or create new problems. I have downloaded and installed Wireshark 0.99.4 on a Windows 2000 system. I am able to capture packets on my ethernet interface with the interface enabled and in full operation, but if I disable the interface as I expect I will need to in order to operate stealthy the interface is not available to select for capture in Wireshark. How do I need to configure things to be able to do what I need? Can I define another ethernet interface using the same NIC that has no protocols enabled on it and then swap which one is enabled? Do I need to disable all protocols on the existing interface for the capture and then manually re-enable them when I want to reconnect to the network? Any help appreciated. Dave __ __ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capturing packets in stealth mode on Windows
Small, James wrote: You want to uncheck everything except the Network Monitor Driver - I believe this is what WinPcap is using to monitor the network adapter. Only for PPP interfaces. For LAN interfaces, it has its own driver for this. It doesn't appear to show up in the adapter properties window, even after running Wireshark (it's load-on-demand, as I remember). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users