This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Promiscuous Mode NIC Adapter Setup Required?

0

Do I need to enable my NIC for Promiscuous Mode under Windows, or does Wireshark do this automatically? Pursuant to my last question, I'm trying to intercept traffic between two remote machines via a HUB connection.

Also, I can't find any instructions for how to do this under Windows 10. I found a link for Windows 7 instructions, but they don't seem to work on Windows 10.

asked 19 Oct '17, 11:16

dcs's gravatar image

dcs
6223
accept rate: 0%


2 Answers:

0

Click on Edit > Preferences > Capture and you'll see the preference "Capture packets in promiscuous mode". As long as that is checked, which is Wireshark's default, Wireshark will put the adapter into promiscuous mode for you when you start capturing. If the adapter was not already in promiscuous mode, then Wireshark will switch it back when you stop capturing.

So yes, Wireshark does this automatically, as long as you haven't disabled this preference.

This should be the same, regardless of whether Wireshark is installed on Windows 7 or Windows 10.

answered 19 Oct '17, 13:24

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Glad to hear that. So I don't understand why I can't see traffic on the HUB that isn't directly communicating with the Wireshark computer. Please see my previous question about intercepting packets between two remote computers.

I could use a telephone consultant!

(19 Oct '17, 15:16) dcs

I changed your "answer" to a comment. That's how this site works.

As Jasper said in his answer to your other question, just because it's labeled as a hub, doesn't mean it is. It's very likely to be a switch. Back when hubs were still commonly used, it was cheaper for the manufacturers to use one chip set for both hubs and switches. Of course, the switch had to have switching capability. So they labeled one device as a switch and the other as a hub, and sold the hub for a lower price, but they were actually both switches.

Jaap pointed out that you can do remote capture through an SSH tunnel. Or you could simply capture directly on the Redhat box with tcpdump and then copy your capture file to your Windows PC and load it into Wireshark for analysis. Even if you are going to use Wireshark for analysis, it doesn't have to be your capture program.

(19 Oct '17, 16:26) Jim Aragon

0

As you wrote that your hub is a real one, not a switch bearing a label "hub", it is a correct way of thinking that the issue may be related to the capturing machine and that promiscuous mode might be switched off.

Now even if Wireshark (via WinPcap) successfully switches the network interface to promiscuous mode, there may be an anti-virus/firewall filter hooked to that interface and drop packets which do not match local MAC and/or IP address even though the packet filter does let them through, and this filter may be "closer to the wire" than WinPcap's own capturing "filter".

So go to network adapter settings and check whether, in the list of protocols and other items, you cannot disable a filter bearing the name of your anti-virus or firewall software. If there is no such item, it still does not mean that the firewall or antivirus does not do this; if there is, disabling it before starting to capture may solve your issue. In such case, it may help to disable the functionality in the firewall/antivirus control panel.

Another possibility could be to set up a software bridge consisting of two network cards and capture at one of the members while the antivirus/firewall should interfere with the virtual interface connected to the bridge. But this requires that you have a second network card as otherwise Windows won't allow you to create the bridge. On the other hand, you may use a USB network card, create the bridge, and then disconnect the USB card - the bridge will survive.

Yet another possibility is to replace WinPcap with npcap which hooks to a different place in the network stack, so you may be lucky and this place may be closer to the wire than the one where the antivirus hooks in.

The last resort would be to uninstall your antivirus/firewall before capturing (which usually includes a reboot of the machine because the filters often remain in place until reboot).

answered 21 Oct '17, 04:54

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%