Wireshark-dev: Re: [Wireshark-dev] PPP capture

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 11 Jan 2016 17:56:37 -0800
On Jan 11, 2016, at 5:42 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> AFAIK, Npcap/WinPcap works on the data link level and it sees the Ethernet frames.

It sees data link frames, whatever they might happen to be; it's not necessary Ethernet.

> In my understanding, VPN SSL (https) or raw HTTP is just data of high-levels (IP packets) for Npcap/WinPcap. I don't know if it's appropriate or viable for Npcap/WinPcap to see this data.

It's appropriate for WinPcap/NPcap to see packets from any interface it can attach to via NDIS.  It should just pass those packets on to its caller, and not do any decryption or anything else on it - if the OS provides decrypted packets (i.e., supplies decrypted packets to drivers attached to the interface via NDIS), it should pass them onto its caller to display, and if it provides *encrypted* packets (i.e., supplies raw packets to drivers attached to the interface via NDIS), it should pass them onto its caller and leave it up to the caller to decrypt.