Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test

From: Jim Young <jyoung@xxxxxxx>
Date: Tue, 18 Aug 2015 16:22:39 +0000

Hello Yang,


With Npcap 0.04-r3 the Npcap Loopback Adapter is again visible and usable as a sniffable interface to Wireshark. 😊


I hope to do more extensive testing later today or tomorrow (especially regarding throughput and packet drops).


I have a question regarding the encapsulation type for packets captured on the Npcap Loopback Adapter.


Instead of supplying an ethernet header with the mac addresses of all zeros, would it make more sense to supply a NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface?


I've attached two small 4 packet traces.  One is taken on a Windows 8.1 system with the Npcap adapter.  This file has an encapsulation type of ethernet with an ethernet header with all zero mac addresses.  The second trace was taken on an OS X 10.10.4 system with a NULL/Loopback encapsulation type.  For some fun take a look at Wireshark's epan/dissectors/packet-null.c for some interesting comments about the magic associated with loopback encapsulation detection.  


Take care,

Jim Y.


From: wireshark-dev-bounces@xxxxxxxxxxxxx <wireshark-dev-bounces@xxxxxxxxxxxxx> on behalf of Yang Luo <hsluoyb@xxxxxxxxx>
Sent: Tuesday, August 18, 2015 11:08
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Npcap 0.04 call for test
 
Hi Jim,

The log points to the same issue with Pascal, and please try the latest installer at:

Cheers,
Yang


Attachment: os-x.ping-to-loopback.pcapng
Description: os-x.ping-to-loopback.pcapng

Attachment: win8.1-with-npcap.ping-to-loopback.pcapng
Description: win8.1-with-npcap.ping-to-loopback.pcapng