In promiscuous mode: * All packets of non-promiscuous mode * Packets destined to another layer 2 network interface In non-promiscuous mode, you’ll capture: * Packets destined to your network interface * Broadcasts * Multicasts So, you won’t see packets sent to another MAC address on your network if you sniff with a hub or a tap Ethernet at the top, after pseudo header “Frame” added by Wireshark The last resort would be to uninstall your antivirus/firewall before capturing (which usually includes a reboot of the machine because the filters often remain in place until reboot).SIP packet captured in non-promiscuous mode. Yet another possibility is to replace WinPcap with npcap which hooks to a different place in the network stack, so you may be lucky and this place may be closer to the wire than the one where the antivirus hooks in. On the other hand, you may use a USB network card, create the bridge, and then disconnect the USB card - the bridge will survive. But this requires that you have a second network card as otherwise Windows won't allow you to create the bridge. In such case, it may help to disable the functionality in the firewall/antivirus control panel.Īnother possibility could be to set up a software bridge consisting of two network cards and capture at one of the members while the antivirus/firewall should interfere with the virtual interface connected to the bridge. If there is no such item, it still does not mean that the firewall or antivirus does not do this if there is, disabling it before starting to capture may solve your issue. So go to network adapter settings and check whether, in the list of protocols and other items, you cannot disable a filter bearing the name of your anti-virus or firewall software. Now even if Wireshark (via WinPcap) successfully switches the network interface to promiscuous mode, there may be an anti-virus/firewall filter hooked to that interface and drop packets which do not match local MAC and/or IP address even though the packet filter does let them through, and this filter may be "closer to the wire" than WinPcap's own capturing "filter". As you wrote that your hub is a real one, not a switch bearing a label "hub", it is a correct way of thinking that the issue may be related to the capturing machine and that promiscuous mode might be switched off.
0 kommentar(er)
