Suggestion to avoid p-mode switch available only in some editions of 2012 R2+
codykonior opened this issue · 2 comments
Windows Server 2012 R2 needs to be patched to allow this syntax (and there's no patch for lower OS):
Add-NetEventNetworkAdapter -Name $Adapter.Name -PromiscuousMode
There is a workaround for this and lower operating systems though. You can wrap all of the packet tracing calls with some code that opens a raw, random network socket, and listens to all. Then close it once you're done. This flips the network adapter into p-mode.
$addresses = $adapter | Get-NetIPInterface | Get-NetIPAddress
$address = $addresses.IPAddress | Select-Object -First 1
"Processing adapter [$($adapter.Name)] with IP address [$address]"
$byteIn = [BitConverter]::GetBytes(1)
$byteOut = [BitConverter]::GetBytes(0)
$socket = New-Object System.Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork, [Net.Sockets.SocketType]::Raw, [Net.Sockets.ProtocolType]::IP)
$endpoint = New-Object System.Net.IPEndpoint([Net.IPAddress] $address, 0)
$socket.Bind($endpoint)
[void] $socket.IOControl([Net.Sockets.IOControlCode]::ReceiveAll, $byteIn, $byteOut)
... Then do the above without -PromiscuousMode, do the rest of the capture, and close it, then clean up ...
$socket.Close()
I'm not sure if you would like to incorporate that as an alternate code path if that parameter is detected as not existing, but if not, at least this will show up for anyone else who needs it and wants to hack it in.
Great project btw, really amazing.
I don't think I will incorporate this as an alternate code path, but I will leave this issue open. That way it should be easy to find for anyone else who needs it. Thank you very much for your code example though.
@lahell since even Server 2012 R2 is EOL now, I guess this issue could be closed.