[wellylug] How do I create a "quiet" or "raw" ethernet interface for WireShark?

Neil Ramsay neil.ramsay at agentnoel.geek.nz
Mon Jul 11 16:44:18 NZST 2011


Hi David,
have a look at
http://www.askapache.com/security/sniffing-on-ethernet-undetected.html

Neil

On 11/07/2011 14:07, David Antliff wrote:
> Hello,
>
> I'm attempting to use WireShark (and a few other tools like PackETH)
> to create a simple "poor man's" ethernet tester. I want to generate
> arbitrary ethernet frames (not IP packets) on an ethernet port, with
> complete control over the ethernet header, CRC, etc. There seem to be
> plenty of tools for constructing such packets, and sending them.
>
> I am using a USB-to-Ethernet adapter (Edimax EU-4207). This device
> seems to be fully detected by Linux, which is good:
>
> [1478963.769937] usb 2-1.4: new high speed USB device using ehci_hcd
> and address 5
> [1478964.722240] asix 2-1.4:1.0: eth1: register 'asix' at
> usb-0000:00:1d.0-1.4, ASIX AX88772 USB 2.0 Ethernet, 00:50:b6:4e:f8:f3
> [1478964.746371] eth1: link down
>
> I have another Linux machine with a second ethernet port, so I thought
> I'd start by trying to send packets from one to the other. This seems
> to work fine, packets are sent and received, but there's a problem.
>
> It seems that WireShark cannot 'see' a port unless I use ifconfig to
> configure it with an IP address. But once I do this, Linux starts
> sending ARP broadcasts, Samba packets, dropbox packets, all sorts over
> this interface. This is very noisy. I reduced this considerably by
> removing all routes for this interface at both ends, and using
> "ifconfig eth1 -arp" as well, but I still see a few packets now and
> again. Enough to invalidate the tests I want to run anyway as I'm
> going to be counting received packets within an FPGA, so I need strict
> control over what goes on the line.
>
> My questions are therefore:
>
>  - how can I completely 'silence' an ethernet port in Linux?
>
>  - Is it necessary to configure an ethernet port with an IP address
> for WireShark to use it?
>
>  - Is there some sort of 'half-configured' state I can put the port
> into (some sort of 'raw' port) that will allow me to have complete and
> exclusive control of the interface?
>
> I'd like to reiterate that I do not need IP on this, just the ability
> to send and receive arbitrary ethernet frames.
>
> Thanks,
>
> -- David.
>
>
> --
> Wellington Linux Users Group Mailing List: wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neil_ramsay.vcf
Type: text/x-vcard
Size: 136 bytes
Desc: not available
URL: <http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20110711/45287d86/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20110711/45287d86/attachment.pgp>


More information about the wellylug mailing list