Wireshark uses the NDIS stack through a Winpcap shim; NDIS is one of the Windows protocol analyzer problems. NDIS never did fully specify a promiscuous mode, so it's left up to the vendor who writes the driver. Card vendors supply some promiscuous functionality, but AFAIK none pass on all error packets. So you may see packets destined for other hosts, broadcasts, etc. but you may not see runts or giants. You may not see framing errors. Some, like the older 3Com (I'm not sure if they still do) filter all errors in hardware, so you won't even see ethernet collisions in a hub environment - but in that case it doesn't matter what the drivers do, and you're stuck in any OS. Some commercial protocol analyzer vendors supply a custom driver for a few cards, or even a custom card and driver that will capture all error packets.
Randy Grein Network Engineer "Gajan Nadarajan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 06/28/2007 11:25 AM Please respond to Community support list for Wireshark <[email protected]> To [email protected] cc Subject [Wireshark-users] Newbie question about capture point Hello, I am new to wireshark and was wonder where exactly does wireshark capture eth packets or frames on the windows stack( or somwhere on NDIS)? Would it be before it reaches the driver? Thank you._______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users - ------------------------- CONFIDENTIALITY NOTICE: The information in this message may be proprietary and/or confidential, and is intended only for the use of the individual(s) to whom this email is addressed. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this email and deleting this email from your computer. Nothing contained in this email or any attachment shall satisfy the requirements for contract formation or constitute an electronic signature. _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
