Wireshark-users: Re: [Wireshark-users] Ethereal - how it reads data from NDIS driver
Maxim Bakushin wrote:
I have a WinXP SP2 machine with a NDIS driver installed. Application
running on this machine re-assembles VLAN-tagged Ethernet frames and
sends them to a router via L2 switch.
When I run Ethereal (0.99.0, WinPcap 3.1) on this machine, I can see
correct VLAN-tagged Ethernet frames sent to the destination, but when I
monitor (with Ethereal) the LAN between that machine and L2 switch - the
frames do not include the VLAN-tags. Its seems me strange.
Whether you'll see VLAN tags or not on Windows depends on whether the
network adapter is configured to be "on a VLAN" or not, and on various
other things:
http://wiki.wireshark.org/CaptureSetup/VLAN#head-81781716144f2855ab0aff2f8b752e95f2562efb
So, my question is - what is source of information for Ethereal on the
WinXP machine ?
The source of information is WinPcap, which connects its transport-layer
driver to NDIS. For details, ask the WinPcap developers, or see some of
their papers, such as
http://www.winpcap.org/docs/iscc01-wpcap.pdf
linked to from the page at
http://www.winpcap.org/devel.htm