This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

network stack Wireshark driver placement

0
1

How can I list the order of drivers in the Windows network stack. For example, when installing Wireshark winpcap will place itself before the NIC driver. I'm asking because I was reading that in case of VPN solutions sometimes Wireshark won't be able to capture frames because of how the driver was written so per my understanding the VPN's driver needs to be before winpcap and the physical NIC driver , correct?

asked 10 Aug '16, 00:43

adasko's gravatar image

adasko
86343842
accept rate: 0%

edited 10 Aug '16, 00:46

2 Answers:

2

Npcap is the NDIS 6 fork of WinPcap. And there is a sequence for all filter drivers in NDIS 6 stack. Some of the filters in my Win10 is here:

Service Name  Description                                 FilterClass                 Inf File
MsBridge      Microsoft MAC Bridge                        ms_implatform               netbrdg.inf
WfpLwfs       WFP 802.3 MAC Layer LightWeight Filter      ms_firewall_upper           wfplwfs.inf  
WfpLwfs       WFP Native MAC Layer LightWeight Filter     ms_medium_converter_bottom  wfplwfs.inf  
WfpLwfs       Microsoft Windows Filtering Platform        ms_switch_filter            wfplwfs.inf  
vwififlt      Virtual WiFi Filter Driver                  ms_medium_converter_128     netvwififlt.inf  
npf           Npcap Packet Driver (NPCAP)                 compression                 npf.inf  
Psched        QoS Packet Scheduler                        scheduler                   netpacer.inf  
NativeWifiP   NativeWiFi Filter                           ms_medium_converter_top     netnwifi.inf  
NdisCap       Microsoft NDIS Capture                      ms_switch_capture           ndiscap.inf  
jnprns        Juniper Network Service                     NULL                        jnprns.inf  
VBoxNetLwf    VirtualBox NDIS6 Bridged Networking Driver  compression                 VBoxNetLwf.inf

The most important part is the FilterClass. It determines the filter sequence. It's defined here.

The sequence is:

ms_firewall_upper
scheduler
encryption
compression
vpn
loadbalance
failover
diagnostic
custom
provider_address
ms_implatform
ms_switch_capture
ms_switch_filter
ms_switch_reserved
ms_switch_forward
ms_firewall_lower
ms_medium_converter_top
ms_medium_converter_128
ms_medium_converter_bottom

Npcap's FilterClass is compression. So it will be higher than all "vpn" filters and lower than "encryption" filters.

But I don't quite know VPN drivers, you can't think they are using the "vpn" FilterClass. Because when you capture on Wireshark with Npcap, you can still see VPN encrypted packets. So it means that Npcap is lower than VPN softwares.

answered 10 Aug '16, 09:01

Yang%20Luo's gravatar image

Yang Luo
9117
accept rate: 4%

edited 11 Aug '16, 02:01

So the Npcap driver is a modifying filter driver rather than a monitoring filter driver?

(10 Aug '16, 17:23) Guy Harris ♦♦
1

@Guy Harris, yes. Npcap has been a modifying LWF from the very beginning. Because a monitoring filter can't originate its own packets into the NDIS stack, but Npcap needs to send packets in the Tx way.

(10 Aug '16, 17:39) Yang Luo

I'm not sure i got it all right, but wouldn't that mean that a network capture using NETSH would capture the greatest amount of packets?

(11 Aug '16, 01:14) adasko

On what do you base such conclusion? Do you know which of the filter classes netsh is using to capture?

(11 Aug '16, 01:37) sindy

@sindy That's the point. Maybe I'm wrong I don't know I just try to understand. I have the following filters on my Windows 7: Filter Count: 9 Filter List:

Description : Virtual WiFi Filter Driver PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{5CBF81BF-5055-47CD-9055-A76B2B4E3698}

Description : Microsoft Network Monitor 3 Driver PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{6E022F38-AB31-44C5-8206-2EB023EFF145}

Description : Symantec Endpoint Protection Firewall PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{72891E7B-0A3D-4541-BDCB-3DA62E25B6A8}

Description : QoS Packet Scheduler PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{B5F4D659-7DAA-4565-8E41-BE220ED60542}

Description : WFP Lightweight Filter PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{B70D6460-3635-4D42-B866-B8AB1A24454C}

Description : Microsoft PEF NDIS ETW Provider Driver PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{BD583A2D-7410-4BD1-B9C0-ECA0E65E6980}

Description : Juniper Network Service PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{C02D1E54-FBAB-46BB-8052-BE25AB90C99A}

Description : NativeWiFi Filter PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{E475CF9A-60CD-4439-A75F-0079CE0E18A1}

Description : NDIS Capture LightWeight Filter PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentcontrolset\control\network{4d36e974 -e325-11ce-bfc1-08002be10318}{EA24CD6C-D17A-4348-9190-09F0D5BE83DD}

Microsoft Network Monitor 3 Driver was installed because I’ve installed NetMon. I can see one for Juniper (it’s my VPN). Is there a way to list the preferred order of which filter is going to be used ?

(11 Aug '16, 07:49) adasko

Adam, some months ago @Yang Luo gave me a link to a software which allows to list all drivers. That software, if I remember right, shows the FilterClass of the driver. Or you can use regedit to find the FilterClass, using one of the long hexadecimal IDs as a search key.

(11 Aug '16, 08:09) sindy

If you mean InstalledDriversList, it probably doesn't show you the FilterClass, because it's not only for NDIS filter drivers. There is no ready way to get the existing filters' sequence automatically. You can write a program to read the registry key to do that. Read their FilterClass, then match them with MSDN's sequence.

(11 Aug '16, 09:07) Yang Luo
showing 5 of 7 show 2 more comments

1

This document: "Fulvio Risso, Loris Degioanni, An Architecture for High Performance Network Analysis, Proceedings of the 6th IEEE Symposium on Computers and Communications (ISCC 2001), Hammamet, Tunisia, July 2001", contains the most detailed description there is on this subject, especially section 4.2.

answered 10 Aug '16, 01:21

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

1

The npcap project aims at replacing winpcap with a more modern driver https://github.com/nmap/npcap

(10 Aug '16, 03:57) Anders ♦

The npcap project aims at replacing winpcap with a more modern driver

See @Yang Luo's answer above for some information about it. (The more modern driver only works on Windows Vista and later, as it requires NDIS 6.)

(11 Aug '16, 11:12) Guy Harris ♦♦