Does Microsoft Network Monitor depends on pcap/winpcap/libpcap libary? Or it has built its own libary/drivers to capture network packets? I cannot find any information about that subject. I am asking, cos Microsoft Network Monitor does not require restart after installation (so it does not load kernel level drivers?) and captures incoming packets even on Windows 7, where raw packets capturing does not work.
Additional information about raw packets limitation: http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/65ce9bee-897b-4c19-a4c6-4d3da103be44/
Edit: I find answer myself - The Network Monitor engine is divided into two parts: the capture engine and the parsing engine.
The capture engine is a driver that interfaces with the Network Driver Interface Specification (NDIS) to read frame data. It is a system driver that is installed automatically on Windows Vista. On previous operating systems, the capture driver is part of the system.
The parsing engine, on the other hand, is in user mode. This engine uses Network Monitor Parsing Language (NPL) files to determine how to parse raw frame data. It also filters frames.
The API can access both parts of the engine, as well as save and load capture files.
