[Winpcap-users] REPOST: Winpcap and VMware - known problem - ??

Sat Dec 17 13:05:23 GMT 2005

Michael,
WinPcap interfaces with NDIS as a standard protocol driver, and is able 
to see only the packets that NDIS spits up.
My suspicion is that the virtual NIC implemented by your version of 
VMware implements manual loopback (this is an option for NIC drivers, 
and most drivers just relay on NDIS for loopback), and then doesn't loop 
the packets transmitted by TCP/IP to the other protocol drivers.

I wrote "your version of VMware" because I used vmware quite a lot in 
the past and I never noticed the problem you mention. What's your 
configuration? Are you running Ethereal inside the virtual machine or on 
the host machine?

Loris

Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) wrote:
> (I sent this about an hour ago, but it seemed to get bounced due to an 
> attached screen shot, so I’m trying again.  <I’m new – be gentle J>
> 
> * *
> 
> *PROBLEM DESCRIPTION*
> 
> I ran Ethereal (0.10.13) on a machine (“the capture box”), to capture 
> traffic between it and another machine.  When I inspected the resultant 
> trace file, I saw that there were packets missing on the sender (capture 
> box) side.  In other words, the missing packets were not packets 
> expected to arrive from across the network, but were packets that the 
> capture box was to send!  That was something I had never seen before.  
> How could packets get lost before you even send them?
> 
>  
> 
> So I looked at the NIC on the capture box, and I saw that it was a:  
> “VMware virtual ethernet interface”.
> 
>  
> 
> I talked with a colleague who knows much more about VMware than I, and 
> he informed me that VMware uses a “virtual” NIC that sits between the 
> virtual machine and the “real” NIC.
> 
>  
> 
> Bottom line:  I’m assuming at this point that the strange behavior I’m 
> seeing is due to this *VMware virtual NIC and/or how WinPcap interacts 
> with it*.
> 
>  
> 
> Can anyone confirm this, and/or provide suggestions or pointers for 
> working around it?
> 
>  
> 
> *VERSION INFO*
> 
> Ethereal 0.10.13
> 
> WinPcap 3.1(packet.dll 3, 1, 0, 27) based on libpcap version 0.9[.x] on 
> Windows 2000 Service Pack 4, build 2195)
> 
>  
> 
> Thx,
> 
> Michael Feeny
> 
> Merrill Lynch
> 
> ------------------------------------------------------------------------
> If you are not an intended recipient of this e-mail, please notify the 
> sender, delete it and do not read, act upon, print, disclose, copy, 
> retain or redistribute it. Click here 
> <http://www.ml.com/email_terms/>for important additional terms relating 
> to this e-mail.     http://www.ml.com/email_terms/
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users