Edit

Writing a Driver to Capture PPP Frames

  • Article

When Point-to-Point Protocol (PPP) frames are sent through a Point-to-Point Tunneling Protocol (PPTP) tunnel with encryption turned on, or through a Layer 2 Tunneling Protocol (L2TP) tunnel that uses IPSec for encryption, the typical PPP frame capture utility can only capture PPP frames that have an encrypted protocol identity field. This document explains how to develop a driver that can capture PPP frames in Windows Vista before they are compressed/encrypted in the send path or after they are decompressed/decrypted in the receive path.

  1. Write an NDIS protocol driver. For details, see NDIS 6.0 Protocol Drivers or NDIS Protocol Drivers (NDIS 5.1).

  2. Install the driver with a hardware identity of "ms_netmon". For detailed instructions on how to install the driver with a specific hardware identity, see INF Models Section.

    Note

    Each Windows Vista machine permits the installation of only one driver entity that has the "ms_netmon" hardware identity. To install another driver with this identity, the first driver must be uninstalled. A driver that is installed without using the "ms_netmon" hardware identity cannot perform the binding needed to capture PPP frames.

     

  3. The protocol driver should specify "ndiswanbh" as the binding interface for capturing PPP frames. For detailed instructions, see Specifying Binding Interfaces.

  4. The ProtocolBindAdapter implementation in the driver should support "NdisMediumWan" as a part of the medium array, so that it can open the ndiswanbh miniport edge using the NdisOpenAdapter function.

  5. If the ProtocolOpenAdapterComplete function is called with status NDIS_STATUS_SUCCESS, the protocol driver should set the OID_GEN_CURRENT_PACKET_FILTER OID with the flags NDIS_PACKET_TYPE_PROMISCUOUS and NDIS_PACKET_TYPE_ALL_LOCAL over this binding. Once this is done, the protocol driver will receive the decrypted PPP frames from the PPP framing layer in its ProtocolReceive function.

Note

This information only applies to drivers on a Windows Vista machine.