[Winpcap-users] Active ethernet devices +
gianluca.varenni at cacetech.com
Tue Jun 3 23:57:07 GMT 2008
----- Original Message -----
From: "Mikael Hillborg" <mikael at hillborg.se>
To: <winpcap-users at winpcap.org>
Sent: Monday, June 02, 2008 11:07 AM
Subject: [Winpcap-users] Active ethernet devices +
> Two questions.
> Is it possible to check which ethernet adapters that are active / switched
> I call pcap_findalldevs_ex and then get a list of ethernet adapters,
> those that aren't connected (e.g. my wired ethernet card when I'm using
> 802.11 card). I'd like to check which ones that are active and which ones
> that aren't even connected. A get a handle (!= NULL) back from all of them
> when I open them with pcap_open and I can't find a way to check which
> one that is currently in use.
Currently there is no way to know if the an adapter is connected or not
(i.e. cable connected and link-up in the case of ethernet, associated to an
AP in case of wireless) from WinPcap. I don't know if it's possible to get
such information from the IP helper API or through WMI (although I know
exactly that it's possible to get such information from a protocol driver).
> So basically I get a list of three cards. These are the "generic dial up
> VPN adapter", my ethernet adapter and the wireless card, which is by the
> way wrapped as a DLT_EN10MB device. Which brings me to the second
> question. It's actually possible to call pcap_open on the 802.11 card
> with the flag PCAP_OPENFLAG_PROMISCUOUS and the call will return a
> handle for me. But it's definitely not in "promiscous mode", but
> I get a (!= NULL) handle back. Is that the way this call works? If the
> driver for the card doesn't support "promiscous mode" (which almost no
> 802.11 cards on Windows do IIRC) then should it really reply with a handle
> and not NULL?
I will try to clarify some of your doubts
- on windows pre-Vista ALL the wireless card drivers deliver "cooked"
Ethernet packets. The miniport driver of the wireless network card takes
care of converting the native 802.11 packets into ethernet packets and
viceversa. There is NO way to get 802.11 frames out of a normal wireless
card on Windows with the standard wireless card drivers. You need to use a
custom wireless capture solution like AirPcap.
- On vista and beyond, *some* wireless card drivers are "native wi-fi"
drivers and should expose native 802.11 packets. In order to capture such
packets, you would need to develop a NDIS6 monitoring lightweight filter
driver to get such packets. WinPcap at the moment does not use such
technique on Vista. Even in this case, I've already seen native wi-fi
drivers which deliver "cooked" 802.11 frames i.e. not the original ones.
They mainly strip some fields e.g. transforming DATA+QOS frames into DATA
- most of the wireless cards do not support promiscuous mode. The call to
pcap_open with PCAP_OPENFLAG_PROMISCUOUS should fail, *but* there is a bug
that affects all the 4.0.x releases by which pcap_open doesn't fail but you
don't capture any packet. You need to use one of the 4.1 beta's.
- when promiscuous mode is supported by the wireless network card driver,
you usually capture the data packets sent/received by your machine, plus
probably the data packets on sent on the same channel (and probably on the
same BSSID) by other stations. The promiscuous behavior of a NIC card that
is associated to an AP is not documented, and changes from NIC driver to NIC
Hope it helps
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
More information about the Winpcap-users