locked
Layer 2 promiscuous capture RRS feed

  • Question

  • The new Layer 2 filters allow the capture of entire Ethernet frames, but does the WFP also support promiscuity at Layer 2?


    cjc055

    Tuesday, April 9, 2013 8:43 PM

All replies

  • At FWPM_LAYER_{IN | OUT}BOUND_MAC_FRAME_ETHERNET, you will only see Ethernet frames. At FWPM_LAYER_{IN | OUT}BOUND_MAC_FRAME_NATIVE, you will see Ethernet frames as well as WiFi / WiFi Direct (WLAN), and Mobile Broadband (PPIP) frames.

    If your NIC supports promiscuous mode, then you should see those frames in the MAC_FRAME layers

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, April 10, 2013 6:56 PM
    Moderator
  • There must be more to it than that. The only traffic observed was broadcast and the server's own in/outbound traffic. The server is connected by a wired interface to the monitor port on a network switch. No Ethernet headers were observed until the filters were switched from ..MAC_FRAME_ETHERNET to ..MAC_FRAME_NATIVE.

    Yes, if the hardware supports it, and the driver allows it, promiscuous capture is possible. The WDK samples only hint at how, but those drivers have to be added to the system, require nontrivial buffering to prevent packet loss, and need a client to invoke an explicit operation (DeviceIoControl) to set promiscuous mode.

    The WFP callout architecture needs no client, avoids the buffering complexity, and would be the simpler, preferable solution if only there was some analogous operation to set promiscuous mode. Is there any such thing? Or do the rest of the system's dependencies on WFP prohibit it?


    cjc055


    • Edited by cjc055 Thursday, April 11, 2013 3:31 PM
    Thursday, April 11, 2013 3:11 PM
  • WFP's L2 layers are actually implemented as NDIS LWFs.  This means that the NIC and NIC driver must support Promiscuous mode in order for promiscuous packets to make it up into NDIS.

    Essentially the NIC / NIC driver will just accept all packets and send them up to NDIS.  The NBLs will traverse NDIS until it hits the protocol level where NDIS makes the determination the packets aren't actually destined for this machine, and are silently discarded.  The LWFs occur prior to place where the packets get dropped, so you should see all of the packets as I stated previously.

    If you want to see if there is a WFP issue versus something else, then I suggest installing a protocol analyzer (NetMon) and verify that in fact you are in fact seeing all promiscuous traffic.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, April 11, 2013 6:51 PM
    Moderator
  • NetMon, Wireshark, & Wildpackets all concur: the hardware is not the issue. There is still no evidence of promiscuity from the WFP layer 2 filters. Any other suggestions?


    cjc055

    Tuesday, April 16, 2013 3:29 PM