I wanted to know how to enable promiscuous mode in Windows 2000. I've searched MSDN, and Google and found nothing. There seems to be no API to do that. May be some IOCTRL?
Posted on 2003-07-15 21:12:57 by GogetaSSJ4
do you mean capturing packets on a lan wire?
Posted on 2003-07-15 21:18:07 by Qages
Well, the idea is to be able to use packet capturing software like tcpdump (I know there's a tcpdump for Windows).
But I still want to know how to do it, or if it's possible at all.
I think that may be some netcards do have an option in their options to do this, but mine doesn't.
Posted on 2003-07-15 21:39:22 by GogetaSSJ4
they all should. i use ETHEREAL( www.ETHEREAL.com) it allows you to select that. so what do you plan on using this for, sneeking a peek at your sister/wifes conversations?
Posted on 2003-07-15 23:16:29 by Qages
I'll try that one, it looks interesting.
But ir also uses WinPCap.
I'm looking for a way to turn on promiscuous mode just out of curiosity, since it is too easy to do that on Linux (ifconfig eth0 promisc).
Posted on 2003-07-15 23:44:58 by GogetaSSJ4
I did it in "C", here is the steps:

- create a RAW socket
- fill Address structure with the IP address of the card interface you want to capture packets
- bind that structure with the socket
- and finally activate the capture with WSAIoctl with the option "SIO_RCVALL"
(you can find this option in the platform SDK.)
- and now just receive all the packets on that socket

May be you should add the IP header in the data you received to know the IP Address Source and IP Address Destination.
Posted on 2003-07-18 03:31:34 by Tomy
promiscuous mode does not capture the outgoing packets, only the incoming ones, if I'm not mistaken.
At least that was what I discovered when I thought I could use it to code a very simple sniffer...very disappointing.

If you can't find the option SIO_RCVALL defined, it is 98000001h. ( I had some trouble finding that )
Posted on 2003-07-18 07:22:55 by david
ummm... no.

Promiscuous Mode: A Brief Description by Evil Homer.

Most network interface cards on the market contain a programmable filter which examines the header of incoming packets for the TARGET ip address, and only accepts packets destined for THAT card's ip address space.
This filter can be disabled, which means that the card will accept packets destined for ANY ip address, ie any packet traversing that network cable.
A network interface card which accepts all packets in this way is said to be operating in promiscuous mode.

promiscuous mode has nothing to do with whether or not you can sniff outgoing packets, you are referring to RAW SOCKETS I believe.
As for sniffing outgoing packets, well, almost all net apps are going to be using api to perform their duties, and the regular path from sockets api through the NDIS layer to the ethernet card means that you can use a virtual device driver (vxd) or a virtual machine manager (vmm) as your own interface between UserMode and NDIS, and basically speak to NDIS directly, bypassing the sockets api entirely. This is the way that most of the packet sniffer libraries out there do it. You may also take note that RAW sockets bound to existing sessions often miss packets !! This is because the original socket is given much more priority than the late-bound raw socket is given. It's honestly not a good way to go.
Posted on 2003-08-03 23:31:59 by Homer