Wireshark-dev: Re: [Wireshark-dev] PPP capture

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Tue, 12 Jan 2016 22:36:18 +0800


On Tue, Jan 12, 2016 at 9:56 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jan 11, 2016, at 5:42 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> AFAIK, Npcap/WinPcap works on the data link level and it sees the Ethernet frames.

It sees data link frames, whatever they might happen to be; it's not necessary Ethernet.

Yeah, my phrases were not precise, I wanna mean this:)
 

> In my understanding, VPN SSL (https) or raw HTTP is just data of high-levels (IP packets) for Npcap/WinPcap. I don't know if it's appropriate or viable for Npcap/WinPcap to see this data.

It's appropriate for WinPcap/NPcap to see packets from any interface it can attach to via NDIS.  It should just pass those packets on to its caller, and not do any decryption or anything else on it - if the OS provides decrypted packets (i.e., supplies decrypted packets to drivers attached to the interface via NDIS), it should pass them onto its caller to display, and if it provides *encrypted* packets (i.e., supplies raw packets to drivers attached to the interface via NDIS), it should pass them onto its caller and leave it up to the caller to decrypt.

Another inaccuracy, I agree that WinPcap/Npcap should see and present the data the way it is. the NDIS technique WinPcap/Npcap is based on has no idea how the higher-level data like SSL are organized or encrypted.
 
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe