This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

winpcap receiving peek point from npf driver

0

Hi All,

    This is karun from india(Hyderabad) of Redpine signals.Actually I want to give my own packet inorder to display in wireshark.So i am going through the source code of Wireshark and winpcap(as it is the capturing library,driver).I figured out the peek point where packet.dll is used for packet capturing from nfs driver as described below.
Wireshark<--wpcap.dll<--packet.dll<--npf.sys(driver where actual capture happens)<-packets.

pcap_read_win32_npf()->PacketReceivePacket() function in wpcap/libpcap/pcap-win32.c.

So i hard coded my known packet format after returning from PacketReceivepacket() function in winpcap 4.1.3 source code.And after compilation and copied the packet.dll,wpacp.dll,&amp; ndf.sys to their respective folders,i am able to see my known packet in wireshark application as LLC packet,but along with mine some other packets so called UDP,LMNR,NBNS,SSDP,ARP packets are also coming to the wireshark&#39;s application.Can any one tell me where these packets are coming as pcap_read_win32_npf is the only function to capture packets(to best of my knowledge).</code></pre></div><div id="question-tags" class="tags-container tags"><span class="post-tag tag-link-winpcap" rel="tag" title="see questions tagged &#39;winpcap&#39;">winpcap</span></div><div id="question-controls" class="post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>asked <strong>29 Jun '15, 22:34</strong></p><img src="https://secure.gravatar.com/avatar/50c4b78862c6ca806916c3a71498cdf3?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="karun256&#39;s gravatar image" /><p><span>karun256</span><br />

6557
accept rate: 0%

edited 29 Jun ‘15, 22:44


One Answer:

0

Hi I am getting my hard coded packet,other packets are not coming its because of memory issue i used memset before calling PacketReceivePacket function and copied my packet using memcpy.Now its working fine.I ma able to see my packet ,now challenge is to update timestamp,I am getting the 0.0000 time stamp for my every packet,can any one tell me where i can find the time stamp updation.

Thanks, karun.

answered 30 Jun '15, 21:48

karun256's gravatar image

karun256
6557
accept rate: 0%