Page 1 of 1

promiscuous mode

Posted: Tue Jun 14, 2011 4:23 am
by BeafSalad
I have a Realtek PCIe GBE Family Controller RTL8167. It captures packets ok but it seems the driver will not go into promiscuous mode.
Which would be the best driver for this?
Please not this is a lan card.
I have not tested the netbook yet that has a atheros chipset lan card.

RE: promiscuous mode

Posted: Tue Jun 14, 2011 8:08 am
by DJWP
Realtek chipsets are not supported for wireless capture by OmniPeek at present. All searches indicate this is an ethernet, not wireless adapter as well.

Re: RE: promiscuous mode

Posted: Tue Jun 14, 2011 10:14 am
by BeafSalad
It seems that everybody here is obsessed about wlan cards. I know the the wlan card will not work that is why i asked about promiscuous mode and not monitor mode and I did state that it was a lan card.

RE: Re: RE: promiscuous mode

Posted: Tue Jun 14, 2011 11:05 am
by DJWP
If it is a LAN card, then as long as it is NDIS 3 compatible is should work with OmniPeek. There is no need for promiscuous or monitor mode with EN adapters because they and always send and receive traffic.

RE: RE: Re: RE: promiscuous mode

Posted: Tue Jun 14, 2011 11:29 am
by BeafSalad
The reason I want promiscous mode is so I can read all packets off the network. I have done some testing and the problem is a little wierd. I have omipeek on a laptop with the realtek lan card and have setup the iptable of the d-link router to mirror packets to the ip address of the laptop. What I am seeing is only have the conversation - outgoing packets and not the response. I initially thought it was a problem with the card not being in promiscuous mode as I tried with wireshark and disabled the option for promiscuous mode and saw the same thing. I have just tested it with the netbook that has a atheros lan card and that one does not see any packets at all so that card will not go into promiscuous mode at all. The problem may be how the iptables are set up. Some more investigation is in order.

RE: RE: RE: Re: RE: promiscuous mode

Posted: Tue Jun 14, 2011 11:46 am
by DJWP
This is probably due to the placement of the OmniPeek machine. If you are connected to a switch port, you will only see your own traffic. In order to see network traffic, you need to be on a SPAN or Mirror port set up on a managed switch, or on a hub where all traffic is broadcast to all ports. OmniPeek has been able to capture from Ethernet adapters without any type of promiscuous mode which is necessary for WLAN adapters only.

RE: RE: RE: RE: Re: RE: promiscuous mode

Posted: Tue Jun 14, 2011 11:59 am
by BeafSalad
Yes you right about switches. But as stated I have set the iptable up to mirror packets.

iptables -A PREROUTING -t mangle -s 192.168.1.71 -j ROUTE --gw 192.168.1.100 --tee

iptables -A POSTROUTING -t mangle -d 192.168.1.71 -j ROUTE --gw 192.168.0.100 --tee

It is my understanding that if a lan card is not in promiscuous mode then it will not see packets that are not addressed to itsself even if you are connected to a monitor port.

RE: RE: RE: RE: RE: Re: RE: promiscuous mode

Posted: Tue Jun 14, 2011 12:08 pm
by DJWP
I am unclear as to what you are trying to accomplish here, but there have never been any specialized drivers for Ethernet adapters for use with any Peek product. The only custom drivers are for WLAN adapters. Which version of OmniPeek are you using?

RE: RE: RE: RE: RE: RE: Re: RE: promiscuous mode

Posted: Wed Jun 15, 2011 9:48 am
by BeafSalad
Problem is sorted now. It wasn't anything to do with promiscuous mode or omnipeek not that I said it was. It was a simple typo in the iptables.

iptables -A PREROUTING -t mangle -s 192.168.1.71 -j ROUTE --gw 192.168.1.100 --tee

iptables -A POSTROUTING -t mangle -d 192.168.1.71 -j ROUTE --gw 192.168.0.100 --tee

as you can see postrouting is being routed to a different ip. Took me 3 days to notice what a fool I am.