Wireshark-users: Re: [Wireshark-users] Ethereal - how it reads data from NDIS driver

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 13 Nov 2006 12:14:18 -0800
Maxim Bakushin wrote:

I have a WinXP SP2 machine with a NDIS driver installed. Application running on this machine re-assembles VLAN-tagged Ethernet frames and sends them to a router via L2 switch. When I run Ethereal (0.99.0, WinPcap 3.1) on this machine, I can see correct VLAN-tagged Ethernet frames sent to the destination, but when I monitor (with Ethereal) the LAN between that machine and L2 switch - the frames do not include the VLAN-tags. Its seems me strange.

Whether you'll see VLAN tags or not on Windows depends on whether the network adapter is configured to be "on a VLAN" or not, and on various other things:

	http://wiki.wireshark.org/CaptureSetup/VLAN#head-81781716144f2855ab0aff2f8b752e95f2562efb

So, my question is - what is source of information for Ethereal on the WinXP machine ?

The source of information is WinPcap, which connects its transport-layer driver to NDIS. For details, ask the WinPcap developers, or see some of their papers, such as

	http://www.winpcap.org/docs/iscc01-wpcap.pdf

linked to from the page at

	http://www.winpcap.org/devel.htm