"Ulas Yuce" <ulasyuce at gmail.com> wrote:
> The outputs are as below:
>
> C:\Program Files\Wireshark>dumpcap -D
> 1. \Device\NPF_{4D98F9E6-1671-48AE-BEC7-0B69819C55ED} (Microsoft)
> 2. \Device\NPF_{B7AA410C-0172-4960-A503-A468B0520621} (Intel(R) 82567LM
> Gigabit
> Network Connection)
> 3. \Device\NPF_{BB31B551-FA05-46E9-85BD-EECC3E6A8D2B} (Fortinet Virtual NIC)
> 4. \Device\NPF_{50C6054D-F4F8-45D0-BA23-22C861A69DED} (NCP Secure Client
> Virtual
> NDIS6 Adapter)
> 5. \Device\NPF_{F6945C05-3F7B-49F3-B298-4A08250BDE86} (Juniper Network
> Connect V
> irtual Adapter)
> 6. \Device\NPF_{130984C3-C857-4E00-A133-DB36838B7CB8} (Microsoft)
>
>
> When FortiClient is connected ipconfig result is as below:
>
>
> PPP adapter fortissl:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : fortissl
> Physical Address. . . . . . . . . :
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.242.1(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 10.160.0.13
> 138.203.68.208
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
It's hard for me to tell what "fortissl" maps to in terms of adapter
names WinPcap could accept. My best bet would be this one:
3. \Device\NPF_{BB31B551-FA05-46E9-85BD-EECC3E6A8D2B} (Fortinet Virtual NIC)
You could try WinPcap + Wireshark with the other "virtual" adapters too.
I only have one virtual adapter here (an tap from my VPN-connection).
But I have modified my windump program to include more details.
"windump -Dv" prints:
1: \\.\airpcap00
Descr: AirPcap USB wireless capture adapter nr. 00
No network address
MAC-addr: 00:12:0E:11:C8:E4, MTU <failed>, link-type 802.11 Radio, UP?, 54Mb/s (AirPcap)
Channel: 6, Encryption: OFF, name AirPcap Classic, USB bus, RX only, No ext-ant
media: 802.11/b/g, band: 2GHz
2: \Device\NPF_GenericDialupAdapter
Descr: Adapter for generic dialup and VPN capture
No network address
MAC-addr: <failed>, MTU <failed>, link-type 802.3, UP?, 10Mb/s (NDIS-Wan)
3: \Device\NPF_{7F56352E-EF2F-49F4-844C-BA1FA0105667}
Descr: MS Tunnel Interface Driver
No network address
MAC-addr: 02:00:54:55:4E:01, MTU 1514, link-type 802.3, DOWN, 10Mb/s (NDIS)
4: \Device\NPF_{8D3A23A7-9C6C-408B-A23B-6736F9E56510}
Descr: Realtek 10/100/1000 Ethernet NIC
Addr 0: 10.0.0.6 (mask 255.255.255.0)
MAC-addr: 20:CF:30:90:56:99, MTU 4096, link-type 802.3, UP, 10Mb/s (NDIS)
5: \Device\NPF_{37FC13D9-2F52-47CA-AB64-32B2B434C749}
Descr: Realtek RTL8187 Wireless LAN USB NIC
Addr 0: 10.0.0.5 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:76, MTU 1514, link-type 802.3 over Wireless LAN, UP, 54Mb/s (NDIS)
6: \Device\NPF_{75451EE7-5145-471A-BAF5-124BE8439D10}
Descr: WAN (PPP/SLIP) Interface
Addr 0: 108.171.112.232 (mask 255.255.255.255)
MAC-addr: <failed>, MTU <failed>, link-type 802.3, UP?, 0Mb/s (NDIS-Wan)
Thus it's "easy" to see that no. 2 is the one to use for VPN (encrypted) sniffing.
I assume Fortinet has some similar capability. Note that my no. 2 adapter is of the
NDIS-Wan type. That's why WinPcap needs to be built with '-DHAVE_WANPACKET_API'
(or is this default now?)
I'm not sure how you can check if your WinPcap has this option. You may have to
recompile it yourself. Get the sources here: http://www.winpcap.org/devel.htm.
> I realized that I have another connection which is always seem like below:
>
>
> C:\Program Files\Wireshark>ipconfig /all
>
> Windows IP Configuration
>
> ....
>
> Ethernet adapter Local Area Connection 3:
>
> Media State . . . . . . . . . . . : Media disconnected
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Fortinet virtual adapter
> Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
I'm not sure this can be used to sniff anything.
"Media disconnected" looks funny. Is it this one you have problem
getting anything from?
--gv