[Winpcap-users] Capturing packets at boot time

[Gianluca Varenni]

I seriously doubt you can have any guarantee of capturing *all* the packets 
that are sent/received at boot time.

Assuming that the packets are sent/received only by the tcp/ip protocol 
stack, you need to guarantee that the winpcap driver starts *before* the 
tcp/ip protocol driver (and this can be done theoretically by changing the 
service dependencies, although I've never tried myself), then making sure 
that the capture application starts before tcp/ip. In order to do that you 
need to create a service application to capture packets (i.e. you cannot use 
tshark), and again play with the service dependencies. Can you have a driver 
depend (for its startup) on a service? I think so, but I never tried myself.

Have a nice day
GV


----- Original Message ----- 
From: "Dev Null" <devj.nullj at gmail.com>
To: <winpcap-users at winpcap.org>
Sent: Saturday, May 03, 2008 1:30 PM
Subject: [Winpcap-users] Capturing packets at boot time


> Hi
>
> I would like to capture packets that my machine transmits or receives
> at boot time.
> How this can be done using winpcap and tshark?
>
> Please note that I do not have option to go to another machine and
> sniff packets
> there in promiscuous mode. I need to automatically start winpcap and 
> tshark at
> system boot so that all the packets exchanged at boot are captured.
>
>
> I have Windows XP SP2 installed.
>
> Thanks for any help in advance.
>
> --
> devj
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users