[Winpcap-users] packet filtering in winpcap

Guy Harris guy at alum.mit.edu
Thu Jan 7 20:36:15 PST 2010

On Jan 7, 2010, at 3:44 PM, Joshua (Shiwei) Zhao wrote:

> I'm using winpcap 4.1, and curious whether/how winpcap filters packets.

Is that "filters" as in OID_GEN_PACKET_FILTER:


The "filtering" as in BPF/libpcap-style filtering doesn't have anything to do with this.

> I have a native WiFi driver (for Ndis6.0) which can be put into
> monitor mode manually. When it's in monitor mode, can winpcap get the
> packets and forward to Wireshark?

Probably not.

To quote


"Usually, when the miniport driver indicates 802.11 packets, the packets are complete media access control (MAC) service data unit (MSDU) or MAC management protocol data unit (MMPDU) packets. In this situation, the 802.11 station has reassembled and decrypted each MAC protocol data unit (MPDU) fragment for the MSDU or MMPDU packet. If a MPDU fails during decryption or verification, the 802.11 station must discard all MPDU fragments and the miniport driver must not make the packet indication through a call toNdisMIndicateReceiveNetBufferLists.

However, if enabled for raw packet indication, the miniport driver must make the packet indication for every received MPDU fragment of an MSDU or MMPDU packet regardless of whether the MPDU fragment succeeded or failed to decrypt.

The miniport driver must indicate raw 802.11 packets when the current packet filter is set to one of the following:

	When this packet filter is enabled, the miniport driver must indicate each raw MPDU fragment for an MSDU packet.
	When this packet filter is enabled, the miniport driver must indicate each raw MPDU fragment for an MMPDU packet.

For more information about how the current packet filter is set or queried, see OID_GEN_CURRENT_PACKET_FILTER."

That probably means that, unless the current packet filter for a given protocol driver has those enabled, no raw 802.11 packets will be delivered to the protocol driver.  WinPcap is an NDIS 5 protocol driver, so it doesn't know that those filter types even exist, and thus doesn't turn them on.  So

> Or does winpcap filters out those
> packets because they're ndis6.0 and not being supported?

is sort of what's happening, except that WinPcap doesn't explicitly say "oh, this is an NDIS 6 packet, I'll discard it" - it doesn't even know how to ask to be *given* those packets!

> Now on win7/vista, Wireshark cannot see any packets passed by winpcap
> although driver is in monitor mode and MS's Netmon does capture all
> packets.

NetMon's kernel code for NDIS supports NDIS 6 and *can* ask for those packets.

More information about the Winpcap-users mailing list