Re: [Ethereal-users] Ethereal 0.8.18 question...

[root <eth@xxxxxxxxxx>]

Guy Harris wrote:

> > I'm using ethreal 0.8.18 on a Red Hat 7.1 system with a libpcap 0.4-39;
> > well, I can grep only packets to/ from the machine I'm on and
> > broadcasts; the NIC is a D-link 500TX ; I'm connected to a 10M hub.
>
> Switching hub, or non-switching hub?

Plain old 10M hub, the cheapest one! Let me put it this way: long ago when
Red Hat was 6.1 I used tcpdump on the same computer with the same NIC which
captured all the packets in that hub... that's how I learned to use the
"host" parameter in tcpdump :-)
After that I never needed packet dump until now when someone pointed me to
ethereal. To my wonder neither tcpdump or ethreal can make a successfull
dump...

> If it's a switching hub, even if
> the card *is* in promiscuous mode, it won't see traffic other than
> traffic that the host directs towards its port on the hub, which will
> probably be only unicast traffic to that host or broadcast/multicast
> traffic.

No, I'm not that lucky... I'm not even sure that the card can be put in
promiscous mode with this kernel / configuration, just doesn't make sense;
maybe I need to "echo 1 >" to some /proc/sys stuff... or even better, I
forgot to check smth in the kernel compilation; yet the machine works
flawless on the network...


On more thing: the terminal from which I start ethreal reads (after the dump
attempt)
"Kernel filter, protocol ALL,  raw packet socket".
Just to answer your question in advance, an "iptables -L" gives me ACCEPT on
all chains...