Re: PPP capture

[Guy Harris <guy () alum mit edu>]

On Jan 11, 2016, at 5:42 PM, Yang Luo <hsluoyb () gmail com> wrote:

> AFAIK, Npcap/WinPcap works on the data link level and it sees the Ethernet frames.

It sees data link frames, whatever they might happen to be; it's not necessary Ethernet.

> In my understanding, VPN SSL (https) or raw HTTP is just data of high-levels (IP packets) for Npcap/WinPcap. I don't 
> know if it's appropriate or viable for Npcap/WinPcap to see this data.

It's appropriate for WinPcap/NPcap to see packets from any interface it can attach to via NDIS.  It should just pass 
those packets on to its caller, and not do any decryption or anything else on it - if the OS provides decrypted packets 
(i.e., supplies decrypted packets to drivers attached to the interface via NDIS), it should pass them onto its caller 
to display, and if it provides *encrypted* packets (i.e., supplies raw packets to drivers attached to the interface via 
NDIS), it should pass them onto its caller and leave it up to the caller to decrypt.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe