Wireshark mailing list archives

Re: Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor)

From: Krishnamurthy Mayya <krishnamurthymayya () gmail com>
Date: Sun, 4 Mar 2012 12:26:42 +0530

Thanks alot for the wonderful reply Harris..was really useful.
And ya, the final question i did not make it very clear. Hardware
dependencies in the sense that kind of device drivers ar network adapetrs
(NICs) a sustem has. I done really know whether the packet capturing
softwares have anything to do with these hardware modules. So, wanted to
understand.

On Sun, Mar 4, 2012 at 2:20 AM, Guy Harris <guy () alum mit edu> wrote:


On Mar 3, 2012, at 7:12 AM, Krishnamurthy Mayya wrote:

Just wanted to understand in what way these 2 (MS network monitor and

Wireshark) differ??

Well, there are several ways in which they differ.  Some of them are:

       1) Wireshark is released under the GNU Public License; its source
code is available to all, and if anybody makes a modified version of
Wireshark available, they must make it available in source form to
everybody to whom they make it available in binary form (see the GPL,
Version 2:

               http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

          and the FAQ about it:

               http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html

          for a more detailed and perhaps more correct explanation).  It
is available at no cost.

          Microsoft Network Monitor (henceforth referred to as "NetMon")
is available at no cost, but its source code is not available.

       2) Wireshark dissects packets by directly executing code, written
in C, Lua (for versions of Wireshark built with Lua) or, I think, Python
(for versions of Wireshark built with the Python interpreter); a
third-party plugin:

               http://wsgd.free.fr/

          allows packet formats to be described in a packet description
language.  Tools exist to transform some packet description languages
(ASN.1, Samba's PIDL interface description language for DCERPC/MSRPC, CORBA
IDL) into C code.

          NetMon dissects packets by using packet descriptions written in
NetMon's own packet description language.

       3) Wireshark runs on Windows and a number of UN*Xes (Linux
distributions, *BSD, Mac OS X, Solaris, HP-UX, AIX, etc.).

          NetMon runs only on Windows (it might be able to run, without
support for packet capture, on x86 UN*Xes under Wine).

       4) Wireshark can read capture files in a number of formats,
including both pcap and pcap-NG format, as well as various formats from
other packet analyzers, including NetMon format.

          NetMon can read both its native format and pcap format; it
supports some features of its native format that Wireshark does not
(including, at present, frame comments).

I just noticed that wireshark uses winPcap where as the other uses NDIS.


Actually, they both use NDIS.  As far as I know, Microsoft don't provide
any way of directly accessing NDIS drivers from userland, so WinPcap
includes

       1) a driver that connects to NDIS and provides I/O operations that
can be accessed from userland;

       2) a low-level userland library that accesses that driver
(packet.dll);

       3) a version of libpcap that uses that low-level userland library
(wpcap.dll).

I don't know how NetMon plugs into NDIS; I suspect it installs its own
driver with its own userland code that accesses it.

Any more thoughts on this??


NetMon, on Windows Vista and later, plugs into NDIS 6, which means it can
support capturing in monitor mode.  I don't know whether WinPcap's driver
could plug into NDIS 6; if it did, it could also support monitor mode
(using the already-existing libpcap APIs for that, which Wireshark 1.6 and
later use if available, so the existing tcpdump/WinDump, dumpcap, TShark,
and Wireshark UI would also work).

NetMon might also plug into NDIS in a different fashion from the WinPcap
driver, which might allow it to capture on PPP devices such as mobile phone
modems and VPN connections.  However, there might also be NetMon-specific
hooks in the Windows networking stack, so that *only* NetMon can plug into
NDIS in that fashion; I seem to remember a discussion with the WinPcap
developers in which they'd discovered that Windows was looking for a driver
with a particular name (I think the name included "bh" for "Bloodhound",
which I think was the internal code name/project name for NetMon).

Is there any other hardware kind of dependencies present??


Hardware dependencies of what sort?
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Frame comments in Microsoft Network Monitor Guy Harris (Mar 02)
- Re: Frame comments in Microsoft Network Monitor Krishnamurthy Mayya (Mar 03)
  - Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor) Guy Harris (Mar 03)
    - Re: Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor) Krishnamurthy Mayya (Mar 03)
    - Re: Wireshark and NetMon (was Re: Frame comments in Microsoft Network Monitor) Guy Harris (Mar 04)