> I have looked at the WinDump code a bit more. It os GPL'd and contains
> code to do packet capture at the NDIS level for both Win95 and WinNT.
Yeah, the drivers appear to be new GPLed code rather than the earlier
stuff, which looked similar to some Microsoft sample code whose
distribution restrictions I wasn't sure of.
Microsoft Research funded some of their work, so at least one part of
Microsoft doesn't disapprove.
> It looks possible to use it with Ethereal as it provides a libpcap interface.
Yup. Their "libpcap" is based on 0.4a6 (I've no idea why so many
modified "libpcap"s are based on 0.4a6 rather than 0.4, but...).
It might be interesting to hook the Politecnico di Torino folk who did
this with "tcpdump.org", to (GPL permitting) get the standard
out-of-the-box "libpcap" to support Win32 (and to get any "tcpdump.org"
updates into the Windows version).
> It would seem that there may only be one remaining problem then ... Umm,
> what was that other problem?
Well, some of the security hole patching involved using "mkstemp()" (so
that the creation and opening of the temporary file are done in one
operation), and using the resulting file descriptor directly rather than
reopening the file by name, and, alas, there's no "fdopen()" in the
Windows C libraries (I'm not sure *why*, given that Win32 has a notion
of "handle" for I/O that - at least on NT - looks *very* suspiciously
similar to the UNIX notion of a file descriptor; perhaps it can't work
on Windows 9x, or something), at least with the old Visual C++ 4.0 I had
on my NT partition (maybe the VC++ 6.0 does better), so that stuff might
have to be tweaked.