On Jan 7, 2010, at 3:44 PM, Joshua (Shiwei) Zhao wrote:
> I'm using winpcap 4.1, and curious whether/how winpcap filters packets.
Is that "filters" as in OID_GEN_PACKET_FILTER:
http://msdn.microsoft.com/en-us/library/bb648512.aspx
The "filtering" as in BPF/libpcap-style filtering doesn't have anything to do
with this.
> I have a native WiFi driver (for Ndis6.0) which can be put into
> monitor mode manually. When it's in monitor mode, can winpcap get the
> packets and forward to Wireshark?
Probably not.
To quote
http://msdn.microsoft.com/en-us/library/aa503359.aspx
"Usually, when the miniport driver indicates 802.11 packets, the packets are
complete media access control (MAC) service data unit (MSDU) or MAC management
protocol data unit (MMPDU) packets. In this situation, the 802.11 station has
reassembled and decrypted each MAC protocol data unit (MPDU) fragment for the
MSDU or MMPDU packet. If a MPDU fails during decryption or verification, the
802.11 station must discard all MPDU fragments and the miniport driver must not
make the packet indication through a call toNdisMIndicateReceiveNetBufferLists.
However, if enabled for raw packet indication, the miniport driver must make
the packet indication for every received MPDU fragment of an MSDU or MMPDU
packet regardless of whether the MPDU fragment succeeded or failed to decrypt.
The miniport driver must indicate raw 802.11 packets when the current packet
filter is set to one of the following:
NDIS_PACKET_TYPE_802_11_RAW_DATA
When this packet filter is enabled, the miniport driver must indicate
each raw MPDU fragment for an MSDU packet.
NDIS_PACKET_TYPE_802_11_RAW_MGMT
When this packet filter is enabled, the miniport driver must indicate
each raw MPDU fragment for an MMPDU packet.
For more information about how the current packet filter is set or queried, see
OID_GEN_CURRENT_PACKET_FILTER."
That probably means that, unless the current packet filter for a given protocol
driver has those enabled, no raw 802.11 packets will be delivered to the
protocol driver. WinPcap is an NDIS 5 protocol driver, so it doesn't know that
those filter types even exist, and thus doesn't turn them on. So
> Or does winpcap filters out those
> packets because they're ndis6.0 and not being supported?
is sort of what's happening, except that WinPcap doesn't explicitly say "oh,
this is an NDIS 6 packet, I'll discard it" - it doesn't even know how to ask to
be *given* those packets!
> Now on win7/vista, Wireshark cannot see any packets passed by winpcap
> although driver is in monitor mode and MS's Netmon does capture all
> packets.
NetMon's kernel code for NDIS supports NDIS 6 and *can* ask for those packets.
_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
