2

I've got some GigabitEthernet Vision cameras, which use Ethernet to communicate. The protocol is simple UDP, but for performance reasons (high packet throughput causing CPU load) the manufacturer uses a filter driver that prevents those packets from showing up while capturing with WinPCap/Wireshark.

The software which comes with the cameras needs the filter driver to work (there is no plain UDP-Socket fallback) and I would like to analyze it's traffic. I would like to avoid the need for capturing using additional hardware and prefer a software-only solution to this.

Question: Is there any way to prioritize WinPCap, so that it handles the packets before the filter driver?

System-Info:

  • OS: Windows 10 (64-bit)
  • Software: Wireshark 2.4.4[-0-g90a7ve11a4]
  • Capture Driver: WinPCap v4.1.3 (packet.dll version 4.1.0.2980)
  • RealTek: USB-GbE-Adapter (Driver Version 10.7.218.2016)

Screenshot of Adapter Configuration (in German, sorry):

enter image description here

This is a screenshot from my network interface settings (the marked driver 'Teledyne DALSA Sapera GigE Vision Filter Driver' is the relevant one).

SDwarfs
  • 385
  • 4
  • 15
  • Are you using a managed switch to connect the cameras? Which brand? – Simone Zabberoni Feb 22 '18 at 12:15
  • I use a direct network connection (patch cable) between the network adapter and the camera. Switching is possible, but not advised. You surely would want to setup a mirror/monitor port that I could use to hook my capturing device on. But, unfortunately I don't even have any switch at hand which I have access to. – SDwarfs Feb 22 '18 at 15:47
  • Yes, I was thinking about a span port and a linux tcpdump machine... old school but effective! – Simone Zabberoni Feb 22 '18 at 18:40

1 Answers1

2

If the cameras are connected to a hub you can plug a laptop into the hub and capture in promiscuous mode.

If the cameras are connected to a switch you can configure a mirrored port (mirror the port the camera is plugged into to a port you plug a machine doing the wireshark capture into).

If the cameras are plugged directly into the computer you are running Wireshark on make sure TCP Chiminey is off.

Here are some links that appear to be related to trying to resolve this exact issue.

https://networkengineering.stackexchange.com/questions/34961/why-does-wireshark-not-show-all-traffic-especially-gvsp-data

https://www.wireshark.org/docs/dfref/g/gvsp.html

https://wiki.wireshark.org/CaptureSetup/Offloading#TCP_Chimney

It would also be helpful if you provided more information about the camera (i.e. what is/are the camera model(s)?) and your network topology (e.g. are the cameras connected to the computer you are running Wireshark on, a hub, or a switch?).

Edit: What you are actually asking is to manually change the order of Winsock catalog entries (Layered Service Provider). By running netsh winsock set /? you can see what your options are for configuring Winsock directly. From everything I see no there is not a way for you to change the order of LSPs.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753591(v=ws.10)

https://msdn.microsoft.com/en-us/library/windows/desktop/gg581810(v=vs.85).aspx

https://blog.malwarebytes.com/cybercrime/2014/10/changes-in-the-lsp-stack/

user5870571
  • 2,900
  • 2
  • 11
  • 33
  • Seems the Option "Chiminey" using "netsh" doesn't exist under Windows 10. There are multiple offloading options, which I disabled instead - but without sucess. The UDP traffic is still not showing up in wireshark, while the network filter from the manufacturer is enabled. – SDwarfs Feb 23 '18 at 14:15
  • I added a screenshot to my Question, which depicts what I mean by 'filter driver'. If disabled (via checkbox left to it), all packets including GVSP/UDP show up in wireshark. If enabled, there are only the GVCP/UDP packets and other communication as ARP, DHCP and so on. This is why I ask if there is a way to "prioritize" WinPCAP to capture the packets before it is handled by this driver. – SDwarfs Feb 23 '18 at 14:29
  • PS: The camera is connected directly to the NIC of the windows computer. And I know about those options involving additional hardware (switches, router and so on), which I want to avoid. – SDwarfs Feb 23 '18 at 14:30
  • Since the filter driver is enabled in the TCP/IP stack it might be possible by changing settings in winsock. I will look into that and let you know. – user5870571 Feb 23 '18 at 14:37
  • Please see my updated answer. – user5870571 Feb 23 '18 at 15:24
  • Seems you've done enough sophisticated investigation of the topic to say that it won't work just simply by changing some settings. So you'll get the bounty, as this closes the question. Thank you for your work! – SDwarfs Feb 26 '18 at 09:59
  • If I find something different I will try to update my answer. – user5870571 Feb 26 '18 at 15:44