Is Eavesdrop a "Universal Binary"?
With the new release, it finally is. I have not tested the Intel version myself, since I do not have access to an newer model. I have release it to a handful of users and not heard anything horrible back yet.
Why is reading a capture file not working?
In the new version that was released to fix promiscuous mode (see next item) I managed to break file captures. Oops. The new (universal) version fixes this.
Why is promiscuous mode not working?
All versions between 0.4b3 and 0.5a2 had a bug (well, an omission, really) that prevented them from setting promiscuous mode properly. This has been fixed in the latest version. If you are still having issues, please verify that the packets are visible (using tcpdump or MacSniffer) and let me know, I'll get right on it. (See the documentation on external captures for more information.)
What is CaptureTool and why is it still running when I quit Eavesdrop?
In order to facilitate privilege separation and allow for better performance, Eavesdrop launches CaptureTool in order to perform the actual packet capture. CaptureTool sends all data it collects to Eavesdrop for display. Since is has no user interface, CaptureTool relies on messages from Eavesdrop to know what to do and, if a capture is not explicitly stopped when Eavesdrop quits, then a copy of CaptureTool may be left running.
In order to get rid of this, type this from a command line:
sudo killall -v CaptureTool
Not all my traffic is being captured, what's going on?
There are three things that typically cause this complaint:
• Wrong interface selected.
Typically,
en0 should be used for an ethernet
connection and en1 should be used for an
Airport connection
• A switch is being used, not a hub.
Even if promiscuous mode is on, switches will prevent you from seeing traffic from other machines.
• The missing traffic is not TCP.
Eavesdrop can only capture TCP traffic at this time, even if the capture filter says otherwise. This should not considered a bug, since most of the features are designed to analyze aspects of TCP conversations. (Support for at least acknowledging that other protocols have passed by is on the back burner at this time.)
Why isn't my Airport interface showing up?
Although Airport is typically on
en1, there
seems to be a bug in the underlying packet capture library
on Mac OS X. When Eavesdrop queries for the available
interfaces, it only gets an answer with the first active
one listed. Because of this, the ethernet port
(en0) will typically show up, even if it is
not being used. The correct interface can simply be typed
into the combo box. If you wish to make the default
correct, ethernet can be disabled in the Network preference
pane.
Why can't I save captures?
Eavesdrop is only a viewer application at this time. Unfortunately, the "Save" menu options slipped in on accident... but they will not work.
Under the hood, the method Eavesdrop uses to store information is not conducive to saving back into a traditional capture files, which is why that feature is missing. I'm investigating how much it would take to have a custom file format instead since the "correct" method would take a tremendous amount of development at this time.
How do I use an external capture file?
Eavesdrop can read capture files saved in
tcpdump format (which is also native to
Ethereal). They must have an extension of ".cap" for
Eavesdrop to recognize them.
Why are Loopback and PPTP captures garbled?
Both
lo0 and ppp0 are special
interfaces that are not quite TCP/IP. Although they
transfer TCP/IP, they come into the capture filter with
slightly different headers which Eavesdrop does not account
for. Hopefully a future version will at least account for
the loopback interface.
Start time seems to be a useless field to graph, why is it there?
Although the Start time option does not graph well (due to the size of the numbers it uses), it can be used in an export file. I use this field to do more complicated / presentable graphs in Excel.