On Mar 3, 2012, at 7:12 AM, Krishnamurthy Mayya wrote:
> Just wanted to understand in what way these 2 (MS network monitor and
> Wireshark) differ??
Well, there are several ways in which they differ. Some of them are:
1) Wireshark is released under the GNU Public License; its source code
is available to all, and if anybody makes a modified version of Wireshark
available, they must make it available in source form to everybody to whom they
make it available in binary form (see the GPL, Version 2:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
and the FAQ about it:
http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html
for a more detailed and perhaps more correct explanation). It is
available at no cost.
Microsoft Network Monitor (henceforth referred to as "NetMon") is
available at no cost, but its source code is not available.
2) Wireshark dissects packets by directly executing code, written in C,
Lua (for versions of Wireshark built with Lua) or, I think, Python (for
versions of Wireshark built with the Python interpreter); a third-party plugin:
http://wsgd.free.fr/
allows packet formats to be described in a packet description
language. Tools exist to transform some packet description languages (ASN.1,
Samba's PIDL interface description language for DCERPC/MSRPC, CORBA IDL) into C
code.
NetMon dissects packets by using packet descriptions written in
NetMon's own packet description language.
3) Wireshark runs on Windows and a number of UN*Xes (Linux
distributions, *BSD, Mac OS X, Solaris, HP-UX, AIX, etc.).
NetMon runs only on Windows (it might be able to run, without
support for packet capture, on x86 UN*Xes under Wine).
4) Wireshark can read capture files in a number of formats, including
both pcap and pcap-NG format, as well as various formats from other packet
analyzers, including NetMon format.
NetMon can read both its native format and pcap format; it supports
some features of its native format that Wireshark does not (including, at
present, frame comments).
> I just noticed that wireshark uses winPcap where as the other uses NDIS.
Actually, they both use NDIS. As far as I know, Microsoft don't provide any
way of directly accessing NDIS drivers from userland, so WinPcap includes
1) a driver that connects to NDIS and provides I/O operations that can
be accessed from userland;
2) a low-level userland library that accesses that driver (packet.dll);
3) a version of libpcap that uses that low-level userland library
(wpcap.dll).
I don't know how NetMon plugs into NDIS; I suspect it installs its own driver
with its own userland code that accesses it.
> Any more thoughts on this??
NetMon, on Windows Vista and later, plugs into NDIS 6, which means it can
support capturing in monitor mode. I don't know whether WinPcap's driver could
plug into NDIS 6; if it did, it could also support monitor mode (using the
already-existing libpcap APIs for that, which Wireshark 1.6 and later use if
available, so the existing tcpdump/WinDump, dumpcap, TShark, and Wireshark UI
would also work).
NetMon might also plug into NDIS in a different fashion from the WinPcap
driver, which might allow it to capture on PPP devices such as mobile phone
modems and VPN connections. However, there might also be NetMon-specific hooks
in the Windows networking stack, so that *only* NetMon can plug into NDIS in
that fashion; I seem to remember a discussion with the WinPcap developers in
which they'd discovered that Windows was looking for a driver with a particular
name (I think the name included "bh" for "Bloodhound", which I think was the
internal code name/project name for NetMon).
> Is there any other hardware kind of dependencies present??
Hardware dependencies of what sort?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
