This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ping fails when promiscuous mode turned on and NIC in Ethernet “monitor mode”

0

Hi,

I have following configuration

PC#1 <----> switch <----> PC#2

I configured switch such that PVID =4 (default port VLAN) for both ports. Also, both ports have VLAN 4 assigned and are tagged ports.

Both PC's have Intel NICs with monitoring mode enabled and that works. ie, I can capture RX'd frames and see VLAN tag.

If I use packet generator to send tagged or untagged packets in, I see tagged packet received by other PC as expected.

However, if I ping between the two PC's, the ping fails when wireshark is capturing. If I stop wireshark capture, pings continue fine. If I turn monitor mode off in same config, then pings work fine while wireshark is running.

This doesnt make sense to me since I know the frames being passed back/forth must have VLAN tags when pinging without wireshark capturing (since I see tagged frames with packet generator)

Can you think of any reason why ping would fail between two windows 7 PC's only when wireshark is capturing and NIC is in monitored mode?

Thanks!

asked 29 Jul '14, 10:21

avek's gravatar image

avek
1111
accept rate: 0%

edited 29 Jul '14, 14:17

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

So these are Wi-Fi NICs, right? Otherwise, monitor mode, in the sense in which Wireshark uses it, doesn't exist.

(29 Jul '14, 11:18) Guy Harris ♦♦

Hi Guy,

Sorry I wasnt clear there. These are wired NIC's.

Two PC's running Windows 7. They both have wired Intel NICs (I217-LM) connected to to switch with CAT 5 cables. Connected at 1G using autoneg.

Initially, I was using packet generator to send vlan tagged packets and would see the packets arrive untagged at receiving PC. I then read about NIC/drivers stripping the VLAN tag before sending up stack, which was why I did not see the VLAN tags in wireshark on receiving PC. I saw I could enable monitor mode in registry for the Intel NICs, which would prevent the NIC/driver from stripping the VLAN tags. After doing so, I could see the VLAN tagged packets in wireshark when using packet generator - which is great.

I then decidd to ping between the two PC's, which normally works fine. And it still does, except when I start capture with wireshark (on either PC), then the pings fail.

If I stop wireshark capture, the pings start right back up.

Also, if I go back into registry and turn monitor mode off, then pinging is successful even if wireshark is running.

Somehow, having BOTH monitor mode enabled in NICs (which allows me to see the VLAN tag in RX frames in wireshark) and wireshark in capture mode, the pinging fails. I'm not sure why that would be.

Thanks!

(29 Jul '14, 11:29) avek

What happens if you capture with promiscuous mode turned off?

(29 Jul '14, 11:48) Guy Harris ♦♦

Hi Guy,

If I turn promiscuous mode off on the Intel NICs, then pings work fine while wireshark is capturing.

However, I can no longer see the VLAN tags in captured frames in wireshark (presumably because NIC/driver strips VLAN tags before getting to wireshark). ie, packet generator still sending in tagged frames and switch still enabled.

Thanks

(29 Jul '14, 13:57) avek

One Answer:

0

This Intel support page for "monitor mode" on Ethernet adapters says "This change is only for promiscuous mode/sniffing use."; it might be that, in "monitor mode", the driver configures the adapters not to strip VLAN tags or CRCs, and not to drop bad packets, when in promiscuous mode, under the assumption that a network sniffer is running, but that a consequence of doing so might be that the adapters don't work as normal network adapters when you're in promiscuous mode, and that the driver doesn't configure the adapters that way when not in promiscuous mode, so that the adapter works as a normal network adapter but strips VLAN tags.

I.e., you may be out of luck if you want pings to work and VLAN tags not to be stripped. You might want to ask Intel whether there's any way to get what you want, but the answer might be "no".

answered 29 Jul '14, 14:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Guy,

Fair enough. I was wondering the same thing.....perhaps the Intel NIC/driver, with monitor mode enabled, behaves differently whether or not their is a sniffer in the mix. If that's the case, then nothing can be done on wireshark side.

Thanks for all of the feedback!

(29 Jul '14, 14:59) avek