I'm a relative novice with Wireshark and network analysis in general and my question is regarding unbinding NIC components on the NIC I use to perform captures with.
I normally install/insert a dedicated NIC in the Windows computer I'm going to capture from and unbind all components from the NIC before starting a capture (Client for Microsoft Networks, File and Printer Sharing, TCP/IP). I do this under the pretense that this eliminates the possibility that my capture host will "inject" traffic into the network I'm analyzing and skew the capture results. I've noticed that some capture programs (ColaSoft Capsa) will allow me to select this adapter for my capture while other programs won't (Wireshark, Microsoft Network Monitor).
Am I barking up the wrong tree regarding my assumption that my method ensures that my capture host won't influence the network I'm analyzing and possibly skew the capture? If so, does it not make sense for Wireshark to allow me to capture from a NIC with no components bound to it?
When I run a capture with ColaSoft Capsa with no bound components I believe I'm seeing the same results I see when using Wireshark with bound components so I don't believe I'm missing anything in the capture results using my method.
asked 24 Mar '11, 16:18
I do what you do too, unbinding all protocols from the gigabit NIC of my notebook when I capture with it for exactly the same reason: to avoid my card trying to get an IP via DHCP or do anything else in the network like reverse DNS lookups (especially if it is a customer network where I am not allowed to communicate with non-company equipment).
I think it is a network card issue if Wireshark can't use it to capture from your card, because it is absolutely no problem for mine. The card doesn't show an IP in the NIC selection dialog, but I can still start a capture with it.
Try a different card or a different PC, I think it should work. Maybe you should also try reinstalling WinPCAP.
answered 24 Mar '11, 16:26