[Winpcap-users] Active ethernet devices + PCAP_OPENFLAG_PROMISCUOUSon 802.11

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Jun 3 23:57:07 GMT 2008

----- Original Message ----- 
From: "Mikael Hillborg" <mikael at hillborg.se>
To: <winpcap-users at winpcap.org>
Sent: Monday, June 02, 2008 11:07 AM
Subject: [Winpcap-users] Active ethernet devices + 

> Hi,
> Two questions.
> Is it possible to check which ethernet adapters that are active / switched 
> on?
> I call pcap_findalldevs_ex and then get a list of ethernet adapters, 
> including
> those that aren't connected (e.g. my wired ethernet card when I'm using 
> the
> 802.11 card). I'd like to check which ones that are active and which ones
> that aren't even connected. A get a handle (!= NULL) back from all of them
> when I open them with pcap_open and I can't find a way to check which
> one that is currently in use.

Currently there is no way to know if the an adapter is connected or not 
(i.e.  cable connected and link-up in the case of ethernet, associated to an 
AP in case of wireless) from WinPcap. I don't know if it's possible to get 
such information from the IP helper API or through WMI (although I know 
exactly that it's possible to get such information from a protocol driver).

> So basically I get a list of three cards. These are the "generic dial up 
> and
> VPN adapter", my ethernet adapter and the wireless card, which is by the
> way wrapped as a DLT_EN10MB device. Which brings me to the second
> question. It's actually possible to call pcap_open on the 802.11 card
> with the flag PCAP_OPENFLAG_PROMISCUOUS and the call will return a
> handle for me. But it's definitely not in "promiscous mode", but 
> nevertheless
> I get a (!= NULL) handle back. Is that the way this call works? If the 
> 802.11
> driver for the card doesn't support "promiscous mode" (which almost no
> 802.11 cards on Windows do IIRC) then should it really reply with a handle
> and not NULL?

I will try to clarify some of your doubts
- on windows pre-Vista ALL the wireless card drivers deliver "cooked" 
Ethernet packets. The miniport driver of the wireless network card takes 
care of converting the native 802.11 packets into ethernet packets and 
viceversa. There is NO way to get 802.11 frames out of a normal wireless 
card on Windows with the standard wireless card drivers. You need to use a 
custom wireless capture solution like AirPcap.
- On vista and beyond, *some* wireless card drivers are "native wi-fi" 
drivers and should expose native 802.11 packets. In order to capture such 
packets, you would need to develop a NDIS6 monitoring lightweight filter 
driver to get such packets. WinPcap at the moment does not use such 
technique on Vista. Even in this case, I've already seen native wi-fi 
drivers which deliver "cooked" 802.11 frames i.e. not the original ones. 
They mainly strip some fields e.g. transforming DATA+QOS frames into DATA 
- most of the wireless cards do not support promiscuous mode. The call to 
pcap_open with PCAP_OPENFLAG_PROMISCUOUS should fail, *but* there is a bug 
that affects all the 4.0.x releases by which pcap_open doesn't fail but you 
don't capture any packet. You need to use one of the 4.1 beta's.
- when promiscuous mode is supported by the wireless network card driver, 
you usually capture the data packets sent/received by your machine, plus 
probably the data packets on sent on the same channel (and probably on the 
same BSSID) by other stations. The promiscuous behavior of a NIC card that 
is associated to an AP is not documented, and changes from NIC driver to NIC 

Hope it helps

> Regards
> Mikael


> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list