[Winpcap-users] PacketOpenAdapter

Gianluca Varenni gianluca.varenni at cacetech.com
Wed Jun 25 18:02:13 GMT 2008


----- Original Message ----- 
From: "Alex Foygel (TT)" <Alex.Foygel at tradingtechnologies.com>
To: <winpcap-users at winpcap.org>
Sent: Wednesday, June 25, 2008 10:03 AM
Subject: RE: [Winpcap-users] PacketOpenAdapter


> Sorry for going slightly off the topic, but after reading your
> description (about WinPcap inserting its driver into the protocol
> stack), I have a question:
>
> If I have WinPcap installed on my box and am NOT running WinPcap (or
> Wireshark, or anything else of this nature) on my box now, do I incur
> any overhead because of the WinPcap driver being in my stack, as
> described in your post?

Apart from a tiny memory overhead (in the order of some 10kB, probably) due 
to the driver being loaded into memory, no. WinPcap attaches to the actual 
device stack of an adapter only when you open a capture instance.

Have a nice day
GV

>
> Thanks,
> Alex Foygel
>
> -----Original Message-----
> From: winpcap-users-bounces at winpcap.org
> [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Fish
> Sent: Wednesday, June 25, 2008 11:19 AM
> To: winpcap-users at winpcap.org
> Subject: RE: [Winpcap-users] PacketOpenAdapter
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Wei Gao wrote:
>
>> I am using PacketOpenAdapter (included in Packet.dll 4.0.0) to get
>> Wi-Fi adapter information (including the NPF driver handle) before
>> continuing my process. However PacketOpenAdapter fails when the
>> adapter is added to the system after Winpcap package is installed.
>> It seems that the newly added adapter is not in Winpcap adapter
>> information database, so
>> PacketOpenAdapter fails to find it. Is there a way to resolve this?
>
> Yes. Keep reading. :)
>
>
>> Particularly is there an API that can update Winpcap adapter
>> database so I can always call it before continuing my process?
>
> Not that I'm aware of, no.
>
>
>> I am running this on WinXP SP2. Thanks!
>
> Hopefully GV (Gianluca Varenni) will correct me if I'm wrong about
> this, but as far as I know the ONLY way capture packets on a newly
> installed adapter (i.e. on an adapter that was installed AFTER
> WinPcap had already been previously installed) is to first uninstall
> and then REINSTALL WinPcap afterwards.
>
> The way I understand it is this: whenever WinPcap is installed, it
> inserts its own protocol driver into each adapter's driver stack so
> that it can sniff the packets flowing into and out of that particular
> network adapter.
>
> If you then install a brand new adapter, it of course installs
> whatever set of device drivers it happens to need in order to use
> that particular piece of hardware, but what it DOESN'T do is
> automatically invoke WinPcap's device driver installation program.
> That is to say, whenever you install a new network adapter, WinPcap
> does NOT somehow "magically" know about it. (Neither WinPcap *nor*
> the installation program for your new adapter is psychic after all!)
>
> Thus whenever you install a new network adapter AFTER WinPcap has
> already been installed, since WinPcap's device driver is thus NOT
> inserted into that particular adapter's driver stack, there's NO
> FRICKIN' WAY for WinPcap to *ever* sniff *any* traffic on that
> particular adapter!
>
> Until, that is, you first UNINSTALL and then REINSTALL WinPcap.
>
> Once you re-install WinPcap again however [after installing your new
> adapter], the WinPcap installation program is then able, at *that*
> moment, to FINALLY "see" this new adapter of yours and to insert
> itself into that adapter's driver stack, thereby allowing you to use
> WinPcap to sniff traffic on that adapter.
>
> Do you understand now?
>
> The rule is (and Gianluca, please correct me if I'm wrong about
> this!):
>
>  Always, *always*, *ALWAYS*, re-install WinPcap after installing a
> new network adapter -- if you want to be able to use WinPcap on that
> adapter that is.
>
> - -- 
> "Fish" (David B. Trout) - fish(at)infidels.org
> Fight Spam! Join CAUCE! <http://www.cauce.org/>
> (Any HTML email received will be deleted unread)
> PGP key fingerprints:
> RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
> DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBSGJv7kj11/TE7j4qEQJRJgCfTpfTDkSJlxZXoVYSAVAfe4kTYNIAnR9U
> uuDoOe3qDqYSKntlvQnG6VMH
> =rw6b
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 



More information about the Winpcap-users mailing list