Ethereal-users: [Ethereal-users] PPP capture confusing

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: André Pirard <A.Pirard@xxxxxxxxx>
Date: Fri, 06 Sep 2002 02:03:54 +0200
Hello all,

I'm not on these mailing lists, please cc: me with any reply.

Winpcap, Windump and Ethereal are marvellous tools.
Many thanks to the authors for helping us helping people.
But alas, most users are dialup ones and Winpcap has problems with PPP.

What I can read.

http://www.ethereal.com/faq.html#q5.10 says "WinPcap doesn't support PPP WAN interfaces on Windows NT/2000/XP ... this may cause the interface not to show up"

This suggests that Winpcap doesn't work at all for PPP on Windows 2000.
But "may" makes it uncertain.

http://www.ethereal.com/faq.html#q5.11 says "WinPcap doesn't support PPP WAN interfaces on Windows NT/2000/XP/.NET Server; one symptom that may be seen is that attempts to capture in promiscuous mode on the interface cause the interface to be incapable of sending or receiving packets. You can disable promiscuous mode using the -p command-line flag or the item in the "Capture Preferences" dialog box, but this may mean that outgoing packets, or incoming packets, won't be seen in the capture."

This suggests that Winpcap does work for PPP on Windows 2000, but badly.
But "may" and "may" make it even more uncertain.

http://winpcap.polito.it/misc/dialup.htm says why and how :
WinPcap is normally not able to work with dial-up connections. The cause is the Microsoft NdisWan intermediate network driver, that avoids the protocols (except the ones written by Microsoft itself) to receive packets from PPP links. A trick to bypass this problem is to create the MS Network Monitor system device: WinPcap will be able to see it and through this device it will work on dial-up links. Adding this devices is quite simple if your OS includes Network Monitor (this is the case for example of Windows NT Server or Microsoft Windows 2000). In this case on Windows 2000 you will have have to:
- Go to Settings --> Control Panel --> Network and Dialup Connections.
- Right click on your dialup connection
- Select properties then Networking then Install.
- Install Network Monitor.
- Exit and reboot.
- At this point, applications using WinPcap should see a new device: \Device\Packet_NdisWanBh. Use this device to capture on the dial-up link.

This makes it certain that Winpcap does work for PPP after that procedure.

My experience.

I have installed WinPcap 2.3 on Windows 2000 Professional (let's start to be specific), and, before installing the so-called MS Network Monitor, I get what article # 2 describes, specifically:
- I have to disable promiscuous mode for any capture to work at all
- incoming packets are captured but do not pass to the application
- outgoing packets are sent but not captured, exactly the opposite

At that time, I did have a \Device\Packet_NdisWanBh for Winpcap to see already.

Then I followed the procedure to install what is actually called "Network Monitor Driver" (NMD). This did not add a \Device\Packet_NdisWanBh for Winpcap to see because it had one already, but it added a NMD protocol in the Networking tab of each and every Connection, from Ethernet through all of the line of Dial-up ones altogether. Only difference is that the NMD checkbox in Ethernet can be checked on or off whereas this option for dial-up stick to off in a grayed checkbox.

And the bottom line is that applying this prescribed procedure did not change anything to the half-in half-out way of working I described above.
Both Ethereal and Windump gave the same results.
Unfortunately, I am unable to crosscheck.
If I have NMD, W2KPro doesn't come with Network Monitor itself.

Have I done anything wrong, I doubt it, it's so clicksimple.

Is there any particular WinPcap problem to solve?
In that case, I would welcome the solution in forthcoming 3.0.
I've been waiting sooo long :-(

I'm of course willing to run on my machine any test someone would ask.

Thanks in advance and best regards,



mailto:A.Pirard@xxxxxx.belgium