[Winpcap-users] Capturing packets on Windows Server 2012R2 via IPHTTPS Interface adapters?

Jay Libove libove at felines.org
Sat Dec 13 08:23:07 UTC 2014 

Hi WinPcap users,
On a Windows Server 2012R2 server, functioning as a Direct Access VPN server, there exists an "IPHTTPS" interface, such as:

Tunnel adapter IPHTTPSInterface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : IPHTTPSInterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:1000::1(Preferred)
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:1000::2(Preferred)
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:1000:2c84:e368:537f:5dc(Pr
eferred)
   Link-local IPv6 Address . . . . . : fe80::2c84:e368:537f:5dc%17(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 268435456
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-16-90-15-00-15-5D-FF-08-00

   NetBIOS over Tcpip. . . . . . . . : Disabled


WinPcap (e.g. c:\bin\windump -D) does not see this interface's existence:

C:\bin>windump -D
1.\Device\NPF_{3242D7FE-D86B-455B-BD48-668BA3F91FED} (Microsoft Corporation)

C:\bin>windump -?
windump version 3.9.5, based on tcpdump version 3.9.5
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008)
Usage: windump [-aAdDeflLnNOpqRStuUvxX] [ -B size ] [-c count] [ -C file_size ]
                [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -Z user ]
                [ expression ]

Hm. While I'm at it, I notice that WinPcap also does not detect other types of virtual Ethernet adapters. On the host from which I pulled the Windump -D output above, which is a Hyper-V guest (Windows Server 2012R2 running on top of Windows Server 2012R2), here's the full IPCONFIG/ALL output:

C:\bin>ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DAServer
   Primary Dns Suffix  . . . . . . . : AD3.felines.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : AD3.felines.org

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-FF-08-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:3333::1(Preferred)
   Link-local IPv6 Address . . . . . : fe80::f926:59fc:87f8:f00a%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.255.40(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . : 192.168.255.7
   DHCPv6 IAID . . . . . . . . . . . : 301995357
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-16-90-15-00-15-5D-FF-08-00
   DNS Servers . . . . . . . . . . . : 192.168.255.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{3242D7FE-D86B-455B-BD48-668BA3F91FED}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter IPHTTPSInterface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : IPHTTPSInterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:1000::1(Preferred)
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:1000::2(Preferred)
   IPv6 Address. . . . . . . . . . . : fd6d:20cc:9580:1000:2c84:e368:537f:5dc(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2c84:e368:537f:5dc%17(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 268435456
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-16-90-15-00-15-5D-FF-08-00
   NetBIOS over Tcpip. . . . . . . . : Disabled

Of all of these configured interfaces, Windump -D only sees one ISATAP tunnel adapter. WinPcap does not see (or Windump does not report?) any others - not the Hyper-V virtual Ethernet adapter "Ethernet", not the 6TO4 adapter, and not the IPHTTPSInterface which is of the most direct interest to me just now.


So, the question - how can we get WinPcap (and WinDump, Wireshark) to be able to see traffic on these other, virtual adapters, particularly IPHTTPS?

thanks,
and p.s. I did search the archives and Google generally, and I didn't see this discussed, to my surprise; if it is a FAQ somewhere and I missed it, I beg forgiveness and a pointer in advance.
-Jay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20141213/e1b49bf5/attachment-0001.html>

More information about the Winpcap-users mailing list