WinTap (wtapdrv.sys) is a connection-less NDIS 6.0 protocol driver to support user-mode mirroring of raw ethernet frames from one network device to another. The wintap.exe is the user-mode application program which setup a uni-directional, user-level bridge to create a soft-tap, like daemonlogger. It opens the source and destination adapters specified by the user and starts copying all ethernet frames from source to destination. I.e, it receives packets from adapter 1 and sends them down to adapter 2. During the mirroring process, the ethernet frames are re-written to match the destination adapter's MAC.
128 |To Build WinTap
129 |130 | The source code for WinTap is available for download at 131 |
132 | 133 | https://github.com/aczire/wintap 134 |135 | To build the WinTap package from source: 136 |
-
137 |
- Download and install the Visual Studio 2012. 138 |
- Download and install the latest Windows Driver Kit. 139 |
- Open wintap.sln in Visual Studio 2012. 140 |
- Rebuild the solution.
141 |
This will build the following files and place them in the 142 | <SolutionDir>\<Platform>\<ConfigurationName>\Package subdirectory:
143 |-
144 |
- wtapdrv.sys: Kernel-mode driver. 145 |
- wtapdrv.inf: INF file for wtapdrv.sys. 146 |
- wtapdrv.cat: CAT file for wtapdrv.sys. 147 |
- wtapdrv.pdb: Debug symbols for WinDivert.sys. 148 |
- WinTap.exe: User-mode application to reflect traffic. 149 |
Driver Signing
152 |153 | Before the WinTap package can be used, the wtapdrv.sys driver must be digitally signed. 154 | This is Microsoft policy for all kernel drivers in recent versions of 155 | Windows. See Driver Signing Requirements for Windows 156 | for more information. If you wish to simply test WinTap, you can set up a test certificate and test sign the wtapdrv.sys 157 | driver. 158 | See 159 | Test Signing a Driver Package for more information. 160 | In summary, the steps are: 161 |
-
162 |
- Download and install the latest 163 | Windows 164 | Driver Kit. 165 |
- Open a WDK Build Environment console as Administrator. 166 |
- Run the MakeCert.exe tool to create a test certificate, e.g.
167 | with:
168 |
MakeCert -r -pe -ss TestCertStoreName -n "CN=TestCertName" CertFileName.cer 169 |
170 | - Install the test certificate with CertMgr.exe, e.g. with:
171 | CertMgr /add CertFileName.cer /s /r localMachine ROOT
172 | CertMgr /add CertFileName.cer /s /r localMachine TrustedPublisher 173 |
174 | - Sign wtapdrv.sys with the test certificate, e.g. with:
175 | SignTool sign /v /s TestCertStoreName /n TestCertName wtapdrv.sys 176 | 177 |
178 | - Before you can load test-signed drivers, you must enable
179 | Windows test mode.
180 | To do this, run the command:
181 |
Bcdedit.exe -set TESTSIGNING ON 182 |
183 | and restart Windows. 184 | For more information, see 185 | The 186 | TESTSIGNING Boot Configuration Option. 187 |
188 |
For information on how to build a driver solution using Microsoft Visual Studio, see 192 | Building a Driver.
193 |To Run WinTap
194 |INSTALLATION
195 |You can either use the provided setup.exe or do the manual installation
196 |For automated install using setup.exe, place all the driver files ( wtapdrv.sys, wtapdrv.inf, wtapdrv.cat ) together with setup.exe in a separate folder.
Now runsetup.exe /installwithin an administrative console. Verify in Network Connections UI that the driver is correctly installed. 197 |
Manual Install
198 |The driver is installed using the INF file wtapdrv.inf, which is provided in the driver directory.
In Network Connections UI, select an adapter and open 199 | Properties.
200 |Click Install, then Protocol, then Add, and then Have disk. Then point to the location of the .inf and driver.
201 |Select WinTap Protocol Driver and click OK. After installing the protocol, copy over the user-mode application wintap.exe to a convenient location. Please note that the driver service has been set to manual start in the INF file. As a result, 202 | it doesn't get loaded automatically when you install.
203 |Usage
204 |To start the driver, type net start wintap.
205 |To stop the driver, type net stop wintap.
206 |To test the driver, run wintap. For help on usage, run wintap -?
207 |usage: wintap <source deviceid> <destination deviceid>
208 |*Note: In order to use wintap, the user must have administrative privilege.
209 | 210 |C:\Users\Administrator\wintap>wintap.exe
211 | Available Devices:
212 | 0. \DEVICE\{CE5C7DDF-A5A4-4534-B354-633C1CDB70CB}
213 | - Intel(R) PRO/1000 MT Network Connection #2
214 | 1. \DEVICE\{17152850-6288-471A-9708-2889E7F55EE8}
215 | - Intel(R) PRO/1000 MT Network Connection
216 |
217 | Enter the number of source interface to use (0-1):1
218 | Enter the number of destination interface to use (0-1):0
219 |
220 | 1. \DEVICE\{17152850-6288-471A-9708-2889E7F55EE8}
221 | - Intel(R) PRO/1000 MT Network Connection
222 | Trying to access NDIS Device: \DEVICE\{17152850-6288-471A-9708-2889E7F55EE8}
223 | Opened source interface successfully!
224 | Trying to get src mac address
225 | Got source MAC: 00:0c:29:34:a1:09
226 |
227 | 0. \DEVICE\{CE5C7DDF-A5A4-4534-B354-633C1CDB70CB}
228 | - Intel(R) PRO/1000 MT Network Connection #2
229 | Trying to access NDIS Device: \DEVICE\{CE5C7DDF-A5A4-4534-B354-633C1CDB70CB}
230 | Opened destination interface successfully!
231 | Trying to get destination mac address
232 | Got destination MAC: 00:0c:29:34:a1:13
233 |
234 | Started reflecting the adapter...
235 | >>: read pkt - 148 bytes
236 | >>: read pkt - 60 bytes
237 |
238 |
239 |
240 | For more information, see 241 | NDIS Protocol Drivers.
242 |