locked
Network sniffer RRS feed

  • Question

  •  

    I use raw socket for network sniffer. It work well on XP but it don't capture outbound packet on vista.

    Why it don't capture outbound packet? I want to capture inbound and outbound packets.it is possibble capture packet use raw socket on vista?

    Thursday, October 18, 2007 8:18 AM

Answers

  •  

    There are a couple technologies in Vista that allow you to capture outbound packets. WFP would be the preferred one if you don't need to get access to layer 2 (e.g. 802.3) information; otherwise Ndis LightWeight Filters (LWF) would be a good choice.

     

    For WFP, the layers where you can capture a complete outbound IP packet is FWPS_LAYER_OUTBOUND_IPPACKET_V{4|6}. You would need to develop a kernel mode WFP callout driver that registers at this layer.

     

    http://msdn2.microsoft.com/en-us/library/ms796374.aspx is a good place to start with WFP callout drivers.

     

    Hope this helps,

    Biao.W.

    Thursday, October 18, 2007 11:32 PM

All replies

  • Hi,

     

    I don't think WFP is causing this behavior change.

     

    I think microsoft.public.windows.vista.networking_sharing is probably the best place to post this questions to.

     

    Thanks,

    Biao.W.

    Thursday, October 18, 2007 9:21 PM
  • Hi,

    Thank for your post.

    I  don't capture outbound packet on vista. I want to learning it is possible with WFP.

    I am not a advenced network programer. I read some paper at msdn. it is say some API is not support on vista and WFP must be use on vista.. I wrong please alert me?

    My program capture UDP outbound. only don't capture tcp outbound packet.

     

    Thanks,

     

     

    Thursday, October 18, 2007 9:42 PM
  •  

    There are a couple technologies in Vista that allow you to capture outbound packets. WFP would be the preferred one if you don't need to get access to layer 2 (e.g. 802.3) information; otherwise Ndis LightWeight Filters (LWF) would be a good choice.

     

    For WFP, the layers where you can capture a complete outbound IP packet is FWPS_LAYER_OUTBOUND_IPPACKET_V{4|6}. You would need to develop a kernel mode WFP callout driver that registers at this layer.

     

    http://msdn2.microsoft.com/en-us/library/ms796374.aspx is a good place to start with WFP callout drivers.

     

    Hope this helps,

    Biao.W.

    Thursday, October 18, 2007 11:32 PM