On Mar 3, 2012, at 7:12 AM, Krishnamurthy Mayya wrote:
> Just wanted to understand in what way these 2 (MS network monitor and Wireshark) differ??
Well, there are several ways in which they differ. Some of them are:
1) Wireshark is released under the GNU Public License; its source code is available to all, and if anybody makes a modified version of Wireshark available, they must make it available in source form to everybody to whom they make it available in binary form (see the GPL, Version 2:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
and the FAQ about it:
http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html
for a more detailed and perhaps more correct explanation). It is available at no cost.
Microsoft Network Monitor (henceforth referred to as "NetMon") is available at no cost, but its source code is not available.
2) Wireshark dissects packets by directly executing code, written in C, Lua (for versions of Wireshark built with Lua) or, I think, Python (for versions of Wireshark built with the Python interpreter); a third-party plugin:
http://wsgd.free.fr/
allows packet formats to be described in a packet description language. Tools exist to transform some packet description languages (ASN.1, Samba's PIDL interface description language for DCERPC/MSRPC, CORBA IDL) into C code.
NetMon dissects packets by using packet descriptions written in NetMon's own packet description language.
3) Wireshark runs on Windows and a number of UN*Xes (Linux distributions, *BSD, Mac OS X, Solaris, HP-UX, AIX, etc.).
NetMon runs only on Windows (it might be able to run, without support for packet capture, on x86 UN*Xes under Wine).
4) Wireshark can read capture files in a number of formats, including both pcap and pcap-NG format, as well as various formats from other packet analyzers, including NetMon format.
NetMon can read both its native format and pcap format; it supports some features of its native format that Wireshark does not (including, at present, frame comments).
> I just noticed that wireshark uses winPcap where as the other uses NDIS.
Actually, they both use NDIS. As far as I know, Microsoft don't provide any way of directly accessing NDIS drivers from userland, so WinPcap includes
1) a driver that connects to NDIS and provides I/O operations that can be accessed from userland;
2) a low-level userland library that accesses that driver (packet.dll);
3) a version of libpcap that uses that low-level userland library (wpcap.dll).
I don't know how NetMon plugs into NDIS; I suspect it installs its own driver with its own userland code that accesses it.
> Any more thoughts on this??
NetMon, on Windows Vista and later, plugs into NDIS 6, which means it can support capturing in monitor mode. I don't know whether WinPcap's driver could plug into NDIS 6; if it did, it could also support monitor mode (using the already-existing libpcap APIs for that, which Wireshark 1.6 and later use if available, so the existing tcpdump/WinDump, dumpcap, TShark, and Wireshark UI would also work).
NetMon might also plug into NDIS in a different fashion from the WinPcap driver, which might allow it to capture on PPP devices such as mobile phone modems and VPN connections. However, there might also be NetMon-specific hooks in the Windows networking stack, so that *only* NetMon can plug into NDIS in that fashion; I seem to remember a discussion with the WinPcap developers in which they'd discovered that Windows was looking for a driver with a particular name (I think the name included "bh" for "Bloodhound", which I think was the internal code name/project name for NetMon).
> Is there any other hardware kind of dependencies present??
Hardware dependencies of what sort?
