Wireshark-dev: Re: [Wireshark-dev] PPP capture
From: Gisle Vanem <[email protected]>
Date: Tue, 12 Jan 2016 10:22:59 +0100
Yang Luo wrote:

> AFAIK, Npcap/WinPcap works on the data link level and it sees the Ethernet frames. In my understanding, VPN SSL (https)
> or raw HTTP is just data of high-levels (IP packets) for Npcap/WinPcap. I don't know if it's appropriate or viable for
> Npcap/WinPcap to see this data.

The original WinPcap can see such un-encrypted traffic if built
with '-DHAVE_WANPACKET_API'. It worked very good for me for years when
I used a VPN connection. In such case, the PP2TP/L2TP setup inside
Windows provides a virtual adapter you can sniff on (but no transmit
is allowed).

But if the OP's Fortinet/Fortigate VPN works like the above, is another
question. I bet it bypasses NDIS somehow.

BTW Yang, do your NPcap (in Winpcap-mode?) support compiling with
  'HAVE_WANPACKET_API' too?

-- 
--gv