locked
How to capture frames in all interfaces in Vista/Server? RRS feed

  • Question

  • I need to capture, in Windows Vista/Server, all the frames which run
    through the interfaces, including the ones between local applications
    and localhost(127.0.0.1) as well.
    Despite the fact that these aforementioned frames are impossible to
    capture with a sniffer, I have been trying to make them work in different
    ways. After several attempts, I used firewall API by WinXP and it
    worked. However, Windows Vista/Server is the OS I need to use for my purpose.
    It is said that Windows Vista has Windows Filtering Platform (WPF).
    Nevertheless, it is thought that this WPF does not support MAC-level
    filtering. Given that, I assume that capturing all Ethernet frames
    will be an impossible thing to achieve and it may cause some trouble
    because I need to capture all frames from Data Link on.

    Summing up, I would like to ask you if there is anybody who knows
    which technology method or device will work or if it is possible to do
    it with a NDIS network lightweight filter driver*?

    Thank you all,

    Regards, Gustavo
    Saturday, August 1, 2009 4:13 PM

Answers

All replies

  • MAC layer filtering did not make it into WFP for Windows 7.  For now, to capture frames at the data link layer, you will need to create an NDIS lightweight filter driver.

    http://msdn.microsoft.com/en-us/library/dd163348.aspx provides a sample you can reference.


    I hope this helps.
    Dusty Harper [MSFT]
    Monday, August 3, 2009 6:03 PM
    Moderator
  • Thanks Dusty,
    I was looking at the example, but 127.0.0.1 is not a physical interface, so how do I for install a NDIS lightweight filter driver on this interface?

    With NDIS lightweight filter driver, Does It possible to install a filter without attach to any particular interface?, that pass all frames through the filter, including those of 127.0.0.1 and the ones between local applications in physical interfaces.

    Regards, Gustavo
    Monday, August 3, 2009 10:05 PM
  • WFP does allow you to filter any and all IP packets. The limitation dusty pointed out is that you can't reliably retrieve MAC headers for those packets.

    Do you need to get to MAC headers? If not, registering a callout at WFP's INBOUND/OUTBOUND TRANSPORT layer w/o condition would allow you to capture any locally originated/destined IP packet. And registering a callout at WFP's FORWARD layer would allow you to capture any packets that pass thru the system as well.

    Thanks,
    Biao.W.
    Friday, August 7, 2009 6:17 AM
  • With IP packets might be sufficient.
    I'm confused because all the examples I found are to be installed in a particular interface.
    Installation steps are as follows:

    [...]
    2.- Open Control Panel, double-click Network and Internet Connections,
    double-click Network Connections, right-click the relevant Local Area Connection icon ,
    and then click Properties.
    [...]

    What I want must be for all interfaces, for the whole system.
    I don´t know if I am explaining myself clearly.

    Thanks, Gustavo
    • Edited by gmoreira Tuesday, August 25, 2009 2:50 AM
    Tuesday, August 25, 2009 2:35 AM