On Tue, Jan 12, 2016 at 9:56 AM, Guy Harris <[email protected]> wrote:
> > On Jan 11, 2016, at 5:42 PM, Yang Luo <[email protected]> wrote: > > > AFAIK, Npcap/WinPcap works on the data link level and it sees the > Ethernet frames. > > It sees data link frames, whatever they might happen to be; it's not > necessary Ethernet. > Yeah, my phrases were not precise, I wanna mean this:) > > > In my understanding, VPN SSL (https) or raw HTTP is just data of > high-levels (IP packets) for Npcap/WinPcap. I don't know if it's > appropriate or viable for Npcap/WinPcap to see this data. > > It's appropriate for WinPcap/NPcap to see packets from any interface it > can attach to via NDIS. It should just pass those packets on to its > caller, and not do any decryption or anything else on it - if the OS > provides decrypted packets (i.e., supplies decrypted packets to drivers > attached to the interface via NDIS), it should pass them onto its caller to > display, and if it provides *encrypted* packets (i.e., supplies raw packets > to drivers attached to the interface via NDIS), it should pass them onto > its caller and leave it up to the caller to decrypt. > Another inaccuracy, I agree that WinPcap/Npcap should see and present the data the way it is. the NDIS technique WinPcap/Npcap is based on has no idea how the higher-level data like SSL are organized or encrypted. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
