Why not use "windump -D", well.. I wanted to know the mappings of Local Area Connection. This script also allows for you parse its output encase you wanted to use it in conjunction with other remote execution methods such as wmic!
I have a quick vbs script that can read the registry and I've located a fairly easy lookup method.
Finding the Device from Regedit:
- HKLM\SYSTEM\CurrentControlSet\Control\Network\
- Identify the Key set with the Value "{Default}" containing Data "Network Adapters "
- Search the listed Adapter for the Value Name containing the Data "Local Area Connection"
- The Key value that contains "Local Area Connection" is the reference to the physical device identifier
- Pre-append "\Device\NPF_" to the Key
- Example: \Device\NPF_{95007697-9E3B-41C0-9732-19063EBA4376}
- From this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} \{95007697-9E3B-41C0-9732-19063EBA4376}
- This can be customized for running from any named connection identified from
- ipconfig /all
Example Comparision using search for "local"
C:\>cscript pcap_adapter.vbs "local" localhost -w test.txt
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Local Area Connection {EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C}
1 matches returned.
Finished writing to file. Results saved to test.txt
C:\>windump -D
1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{5A28A595-2DF1-4B68-84ED-9472E2B623C1} (Intel(R) PRO/Wireless 2915ABG Network Connection (Microsoft's Packet Scheduler) )
3.\Device\NPF_{EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C} (Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )
4.\Device\NPF_{768194C6-D64E-4C01-B933-1C1724B7DA9E} (VMware Virtual Ethernet Adapter)
5.\Device\NPF_{8941359A-87BF-4EDA-A287-A3A5B2AFF1B3} (VMware Virtual Ethernet Adapter)
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Local Area Connection {EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C}
1 matches returned.
Finished writing to file. Results saved to test.txt
C:\>windump -D
1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{5A28A595-2DF1-4B68-84ED-9472E2B623C1} (Intel(R) PRO/Wireless 2915ABG Network Connection (Microsoft's Packet Scheduler) )
3.\Device\NPF_{EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C} (Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )
4.\Device\NPF_{768194C6-D64E-4C01-B933-1C1724B7DA9E} (VMware Virtual Ethernet Adapter)
5.\Device\NPF_{8941359A-87BF-4EDA-A287-A3A5B2AFF1B3} (VMware Virtual Ethernet Adapter)
Posts
2 comments:
Updated v1.3 -> v1.4
fix* ControlSet identifer
Just got added to the links page on winpcap.org.
http://www.winpcap.org/misc/links.htm
Post a Comment