Safe Capture of WAN Packets

0

I have an aggregating network tap between my WAN connetion and my home router. I have a dedicated machine running Wireshark to capture all WAN traffic via the network tap. This machine is running Windows 7 Ultimate.

Is there any way to stop the incoming Ethernet frames from going up the stack and being processed? I'd like them to be discarded as soon as Wireshark has captured them. Is this possible?

Obviously, this is to protect the dedicated sniffing computer from the many threats it will be exposed to sitting directly on the WAN.

Thanks!

Dave

Posted 2016-01-17T18:12:39.510

Reputation: 597

Do not give the computer an IP address. – Ron Trunk – 2016-01-17T18:41:50.373

Interesting you should mention not giving the computer an IP address as I've tried that in the past. Unfortunately, it won't let me not give it an address using the usual Control Panel --> Network and Sharing Center --> Change Adapter Settings --> Properties interface. Is there another way I can delete all traces of an IP address? – Dave – 2016-01-17T21:41:01.010

Try 0.0.0.0 or 169.254.x.x. Either one will not be reachable from the WAN – Ron Trunk – 2016-01-17T22:09:49.327

Answers

0

It is not possible for winpcap directly (what Wireshark is using on Windows to collect the packets) to drop packets. This is covered briefly in the winpcap FAQ.

You may be able to use the Windows Firewall to drop all packets coming in on that interface after they are processed by Wireshark (although I'm not sure - it might also block them before they reach Wireshark, which obviously wouldn't help you).

Nick Bastin

Posted 2016-01-17T18:12:39.510

Reputation: 367

Asked: 2016-01-17T18:12:39.510

Viewed: 42 times

Active: 2016-01-17T20:10:25.757