Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor)

[Guy Harris <guy () alum mit edu>]

On Mar 3, 2012, at 7:12 AM, Krishnamurthy Mayya wrote:

> Just wanted to understand in what way these 2 (MS network monitor and Wireshark) differ??

Well, there are several ways in which they differ.  Some of them are:

        1) Wireshark is released under the GNU Public License; its source code is available to all, and if anybody 
makes a modified version of Wireshark available, they must make it available in source form to everybody to whom they 
make it available in binary form (see the GPL, Version 2:

                http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

           and the FAQ about it:

                http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html

           for a more detailed and perhaps more correct explanation).  It is available at no cost.

           Microsoft Network Monitor (henceforth referred to as "NetMon") is available at no cost, but its source code 
is not available.

        2) Wireshark dissects packets by directly executing code, written in C, Lua (for versions of Wireshark built 
with Lua) or, I think, Python (for versions of Wireshark built with the Python interpreter); a third-party plugin:

                http://wsgd.free.fr/

           allows packet formats to be described in a packet description language.  Tools exist to transform some 
packet description languages (ASN.1, Samba's PIDL interface description language for DCERPC/MSRPC, CORBA IDL) into C 
code.

           NetMon dissects packets by using packet descriptions written in NetMon's own packet description language.

        3) Wireshark runs on Windows and a number of UN*Xes (Linux distributions, *BSD, Mac OS X, Solaris, HP-UX, AIX, 
etc.).

           NetMon runs only on Windows (it might be able to run, without support for packet capture, on x86 UN*Xes 
under Wine).

        4) Wireshark can read capture files in a number of formats, including both pcap and pcap-NG format, as well as 
various formats from other packet analyzers, including NetMon format.

           NetMon can read both its native format and pcap format; it supports some features of its native format that 
Wireshark does not (including, at present, frame comments).

> I just noticed that wireshark uses winPcap where as the other uses NDIS.

Actually, they both use NDIS.  As far as I know, Microsoft don't provide any way of directly accessing NDIS drivers 
from userland, so WinPcap includes

        1) a driver that connects to NDIS and provides I/O operations that can be accessed from userland;

        2) a low-level userland library that accesses that driver (packet.dll);

        3) a version of libpcap that uses that low-level userland library (wpcap.dll).

I don't know how NetMon plugs into NDIS; I suspect it installs its own driver with its own userland code that accesses 
it.

> Any more thoughts on this??

NetMon, on Windows Vista and later, plugs into NDIS 6, which means it can support capturing in monitor mode.  I don't 
know whether WinPcap's driver could plug into NDIS 6; if it did, it could also support monitor mode (using the 
already-existing libpcap APIs for that, which Wireshark 1.6 and later use if available, so the existing 
tcpdump/WinDump, dumpcap, TShark, and Wireshark UI would also work).

NetMon might also plug into NDIS in a different fashion from the WinPcap driver, which might allow it to capture on PPP 
devices such as mobile phone modems and VPN connections.  However, there might also be NetMon-specific hooks in the 
Windows networking stack, so that *only* NetMon can plug into NDIS in that fashion; I seem to remember a discussion 
with the WinPcap developers in which they'd discovered that Windows was looking for a driver with a particular name (I 
think the name included "bh" for "Bloodhound", which I think was the internal code name/project name for NetMon).

> Is there any other hardware kind of dependencies present??

Hardware dependencies of what sort?
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe