On Aug 13, 2009, at 2:44 AM, Mark Ryden wrote: > I had noticed that when running tshark in Pseudo-device mode (tshark > -i any), the > machine does not enter promiscuos mode, whereas in the usual case, > such as > thsark -i eth0 (or without "-i" option at all), it does enter > promiscuos mode. > (I tested it on Linux).
There is no notion at the hardware level of a machine being in promiscuous mode; there is only a notion, for devices on "broadcast" networks such as Ethernet, of a network adapter being in promiscuous mode. Neither Linux nor any other OS I know of have any notion of a machine being in promiscuous mode, either, just of a device being in that mode. > I would appreciate if somebody can explain in few sentences why is > it so. It's because libpcap implements the "any" pseudo-device on Linux by creating a PF_PACKET socket but not binding it to a particular device. (On other platforms, it's not implemented at all.) The Linux socket calls to turn promiscuous mode on don't work on sockets such as that - the kernel rejects them rather than setting promiscuous mode on all devices in the system. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
