Do I need to enable my NIC for Promiscuous Mode under Windows, or does Wireshark do this automatically? Pursuant to my last question, I'm trying to intercept traffic between two remote machines via a HUB connection.
Also, I can't find any instructions for how to do this under Windows 10. I found a link for Windows 7 instructions, but they don't seem to work on Windows 10.
asked 19 Oct '17, 11:16
Click on Edit > Preferences > Capture and you'll see the preference "Capture packets in promiscuous mode". As long as that is checked, which is Wireshark's default, Wireshark will put the adapter into promiscuous mode for you when you start capturing. If the adapter was not already in promiscuous mode, then Wireshark will switch it back when you stop capturing.
So yes, Wireshark does this automatically, as long as you haven't disabled this preference.
This should be the same, regardless of whether Wireshark is installed on Windows 7 or Windows 10.
answered 19 Oct '17, 13:24
As you wrote that your hub is a real one, not a switch bearing a label "hub", it is a correct way of thinking that the issue may be related to the capturing machine and that promiscuous mode might be switched off.
Now even if Wireshark (via WinPcap) successfully switches the network interface to promiscuous mode, there may be an anti-virus/firewall filter hooked to that interface and drop packets which do not match local MAC and/or IP address even though the packet filter does let them through, and this filter may be "closer to the wire" than WinPcap's own capturing "filter".
So go to network adapter settings and check whether, in the list of protocols and other items, you cannot disable a filter bearing the name of your anti-virus or firewall software. If there is no such item, it still does not mean that the firewall or antivirus does not do this; if there is, disabling it before starting to capture may solve your issue. In such case, it may help to disable the functionality in the firewall/antivirus control panel.
Another possibility could be to set up a software bridge consisting of two network cards and capture at one of the members while the antivirus/firewall should interfere with the virtual interface connected to the bridge. But this requires that you have a second network card as otherwise Windows won't allow you to create the bridge. On the other hand, you may use a USB network card, create the bridge, and then disconnect the USB card - the bridge will survive.
Yet another possibility is to replace WinPcap with npcap which hooks to a different place in the network stack, so you may be lucky and this place may be closer to the wire than the one where the antivirus hooks in.
The last resort would be to uninstall your antivirus/firewall before capturing (which usually includes a reboot of the machine because the filters often remain in place until reboot).
answered 21 Oct '17, 04:54