I asked the group not long ago of the default hardware filter set, and was told that on some cards, if you don't set the mode at all you won't receive anything, and on some the default mode could be NDIS_PACKET_TYPE_ALL_LOCAL. So Windows doesn't set the mode for you, I'd guess. Seems like not necessary to me since programmers choose the mode and there are many. You could easily edit the packet.dll to set the mode as soon as you open it. It might be wpcap.dll that ethereal uses, so the filter setting is done as soon as you call pcap_open_live, which will override what you've edited in packet.dll. So you need edit the PacketSetHwFilter function to always set the mode you require. This way, no matter what capture mode is set in ethereal or windump, you'll always end up with the same mode. Unfortunately, you need to ask someone to compile it for you, as I don't have VC++ installed to do it for you.
Daniel ----- Original Message ----- From: "Paul Tipper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 23, 2003 4:49 PM Subject: Re: [WinPcap-users] Windows XP and Promiscuous mode > On (16:34 23/07/03), Daniel wrote: > > I don't know if I got your question right, not sure about my answer at all, > > but I think what you receive on your network card depends on the network > > structure, so if you receive packets that DON'T have the MAC address of the > > network card you're sniffing on, and you don't want them to be passed to > > passed to your application, you have to untick the "Capture packets in > > promiscous mode" in Ethereal. You can't stop packets that don't contain MAC > > address of your (or each student's) network card from physically arriving, > > so...you simply disable the promiscous mode. > > The question I was asking was is there a way in either winpcap or XP that > anyone has encountered to stop cards being switched to promisuous mode by > standard user accounts. > > Since I cannot change the networking structure here traffic will flow past > these machines that I wouldn't want these students sniffing, so I'd rather > enforce the non-promiscuous mode of the cards with some kind of policy or > setting than trust the student body. If it was just me I'd do as you > suggest and just untick "Capture packets in promiscuous mode". > > > Regards > > paul. > > > ================================================================== > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > ================================================================== ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
