Wireshark-dev: Re: [Wireshark-dev] Capture PPP on Windows Vista
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 23 Nov 2015 10:57:36 -0800
On Nov 23, 2015, at 10:41 AM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:

> One user (maybe more...) complains that Wireshark does not support
> capturing PPP on Windows Vista.
> WinPcap does not support it for unknown reason:
> https://www.winpcap.org/misc/faq.htm#Q-5

The reason is that unless you:

> But I found that:
> https://msdn.microsoft.com/en-us/library/windows/desktop/bb404173%28v=vs.85%29.aspx

pretend to be Microsoft Network Monitor ("netmon" refers to Network Monitor, and "bh" refers to the codename for Network Monitor, "Bloodhound"), you don't get access to PPP frames.

Of course:

> Note  Each Windows Vista machine permits the installation of only one driver entity that has the "ms_netmon" hardware identity. To install another driver with this identity, the first driver must be uninstalled. A driver that is installed without using the "ms_netmon" hardware identity cannot perform the binding needed to capture PPP frames.

means that, if WinPcap is changed to do that, if you install anything using WinPcap, it won't work if Network Monitor is already installed unless you uninstall it, and if you install Network Monitor afterwards, it won't work unless you uninstall WinPcap.

Now, given that Microsoft Message Analyzer is the Hot New Thing, maybe fewer people will be installing Network Monitor (although people also install Network Monitor to capture in monitor mode on 802.11 adapters, so we might also have to add support for that to WinPcap), so maybe that's not an issue.

> My question is: Is there anyone interested to add missing feature or
> maybe it is not possible? I not sure what for other Windows.

I don't know whether Microsoft still has the special "recognize the Network Monitor driver" hack in their networking stack in releases later than Vista, but they might.  "This information only applies to drivers on a Windows Vista machine." could mean "this doesn't work on anything after Vista" or it could mean "we wrote this for Vista when Vista was the current Windows release, and we're saying it doesn't work on XP or anything earlier".