I'm running Jetico PF alongside WinPcap here, and the inbound packets I can capture have all been through the firewall engine. I would like it the other way around: to have the ability to capture inbound packets before they get swallowed up by the firewall engine. It doesn't seem possible with WinPcap, because the startup type of npf.sys is manual, while the firewall engine is a system service, getting loaded well before the filter driver. I think if I can find a packet capture driver that installs itself as a system service, I can jigger the load order of the drivers, and perhaps succeed in getting my capture data before the firewall mucks things up.

Anyone had any success in this area?

Sidenote: in Software Firewalls versus Wormhole Tunnels (http://www.securityfocus.com/infocus/1831), the authors incorrectly lay a blanket claim that PCAP on Win32 can send and recieve data before "the firewall". I wonder what firewalls they tested...