This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

It appears that setting promiscuous mode in windows 7 enterprise x64, is not really setting promiscuous mode at all. I am trying to capture raw ethernet packets, ie not TCP/IP or any other format, it is debugging information. I have it directly connected, no switches. All drivers, winpcpap, and wireshark are up to date. When I start the capture, if I look at the "Local Area Connection Status" I can see the bytes being received. If I use my old XP machine it captures them just fine. If I use "Microsoft Network Monitor" it captures them just fine. I also tried Windump, and it doesn't capture them either. Any ideas?

asked 19 Dec '13, 09:45

BenWhite's gravatar image

BenWhite
11112
accept rate: 0%

Which version of Wireshark are you using? Which version of WinPcap are you using?

(19 Dec '13, 10:20) cmaynard ♦♦

Wireshark 1.10.4 and also tried 1.5.1 WinPcap 4.1.3 also tried 4.1.? and 4.2.? (don't remember exact older versions.)

(19 Dec '13, 11:02) BenWhite

Well, I started shutting down all unneeded services. I found that the "McAfee Host Intrusion Prevention Service" was the culprit. Upon further investigation, it was filtering out my raw ether packets since they were "Non-IP Protocol."

permanent link

answered 19 Dec '13, 11:49

BenWhite's gravatar image

BenWhite
11112
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×103
×72
×43

question asked: 19 Dec '13, 09:45

question was seen: 9,235 times

last updated: 19 Dec '13, 11:49

p​o​w​e​r​e​d by O​S​Q​A