[Winpcap-users] My NIC is redirecting/replicating packets whensniffing

[Jim Young]

Hello Feliciano ,

>>On Jue Oct 30 9:45 , 'Fish' <fish at infidels.org> sent:
>> You might also want to check whether you (either accidentally or on
>> purpose) have "IP Forwarding" (i.e. "IP Routing") enabled on your
>> Windows host:
> Feliciano Chavez <chavezf at tutopia.com> 10/30/08 12:47 PM >>>
> 
> Hello,
> Fixed!
> I enabled that switch time ago to do routing labs.
> Now I realize, thanks to your tip, that it confuses the NIC when doing sniffing in promiscuous mode.
> FAQ worthy? I don't know if you run some sort of knowledge base, but now we know.
> Note: in Vista is not enough to reset the PC when changing that. You have to power it off an then on in order to take effect.

Congratulations.

I don't think it was the NIC that was confused, we were! ;-)

It's unlikely that using promiscuous mode for packet capture would 
really have any bearing on this.  I suspect your system(s) have 
been doing this (ICMP redirects) ever since you enabled the hosts's 
"IP Forwarding" feature.  In this case having this feature enabled didn't 
seem to stop the packets from getting to their final destination, it simply 
forced an extra, and unnessary, hop/relay in the path.

A "netstat -r" command to display the system's routing table would
probably have helped identify that the system was routing.

Best regards,

Jim Y.