Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2017-12-28 16:49:18 +0000

sindy gravatar image

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings" (the chainwheel icon)
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' lanuage, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings" (the chainwheel icon)
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' lanuage, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.

The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.

Something is telling me that the MACa address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings" (the chainwheel icon)
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' lanuage, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.

The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.

Something is telling me that the MACa address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).

There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface.

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings" (the chainwheel icon)
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' lanuage, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.

The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.

Something is telling me that the MACa address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).

There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface.

interface before connecting the infected machine.

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings" (the chainwheel icon)settings"
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' lanuage, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.

The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.

Something is telling me that the MACa address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).

There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface before connecting the infected machine.

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings"
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' lanuage, language, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.

The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.

Something is telling me that the MACa MAC address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).

There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface before connecting the infected machine.