I've got some GigabitEthernet Vision cameras, which use Ethernet to communicate. The protocol is simple UDP, but for performance reasons (high packet throughput causing CPU load) the manufacturer uses a filter driver that prevents those packets from showing up while capturing with WinPCap/Wireshark.
The software which comes with the cameras needs the filter driver to work (there is no plain UDP-Socket fallback) and I would like to analyze it's traffic. I would like to avoid the need for capturing using additional hardware and prefer a software-only solution to this.
Question: Is there any way to prioritize WinPCap, so that it handles the packets before the filter driver?
System-Info:
- OS: Windows 10 (64-bit)
- Software: Wireshark 2.4.4[-0-g90a7ve11a4]
- Capture Driver: WinPCap v4.1.3 (packet.dll version 4.1.0.2980)
- RealTek: USB-GbE-Adapter (Driver Version 10.7.218.2016)
Screenshot of Adapter Configuration (in German, sorry):
This is a screenshot from my network interface settings (the marked driver 'Teledyne DALSA Sapera GigE Vision Filter Driver' is the relevant one).
Best Answer
If the cameras are connected to a hub you can plug a laptop into the hub and capture in promiscuous mode.
If the cameras are connected to a switch you can configure a mirrored port (mirror the port the camera is plugged into to a port you plug a machine doing the wireshark capture into).
If the cameras are plugged directly into the computer you are running Wireshark on make sure TCP Chiminey is off.
Here are some links that appear to be related to trying to resolve this exact issue.
https://networkengineering.stackexchange.com/questions/34961/why-does-wireshark-not-show-all-traffic-especially-gvsp-data
https://www.wireshark.org/docs/dfref/g/gvsp.html
https://wiki.wireshark.org/CaptureSetup/Offloading#TCP_Chimney
It would also be helpful if you provided more information about the camera (i.e. what is/are the camera model(s)?) and your network topology (e.g. are the cameras connected to the computer you are running Wireshark on, a hub, or a switch?).
Edit: What you are actually asking is to manually change the order of Winsock catalog entries (Layered Service Provider). By running
netsh winsock set /?you can see what your options are for configuring Winsock directly. From everything I see no there is not a way for you to change the order of LSPs.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753591(v=ws.10)
https://msdn.microsoft.com/en-us/library/windows/desktop/gg581810(v=vs.85).aspx
https://blog.malwarebytes.com/cybercrime/2014/10/changes-in-the-lsp-stack/