Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Mon, 24 Aug 2015 18:19:06 +0800
Hi Pascal,

On Mon, Aug 24, 2015 at 4:19 PM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:


Hi Yang,

any reason for not using NdisMediumLoopback that is defined since Vista according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx ? Maybe it would make sense to switch to DLT_LOOPBACK in that case (in that case the packet type must be put in network order).

I knew there's a type named NdisMediumLoopback, MSDN said it "Specifies an NDIS loopback network.". I didn't use this value because I think NdisMediumLoopback provided by Microsoft doesn't mean what we understood it, like UNIX/Linux's loopback. In fact, NDIS never see or handle the loopback traffic, loopback packets like ICMP ones sent by "ping 127.0.0.1" never goes to NDIS layer. They are handled in TCP/IP stack (see http://stackoverflow.com/questions/18164876/is-it-possible-to-capture-localhost-packets-127-0-0-1-as-destination-in-ndis-l?rq=1). Npcap used dirty ways (WFP) to make this happen. So I think NdisMediumLoopback means something else that Microsoft wants it to mean, however I didn't find much information about it except MSDN explanation and didn't know what actually it is used for.

Another reason is that the original WinPcap (wpcap.dll) doesn't support the mapping from NdisMediumLoopback to DLT_LOOP, but it has the mapping from NdisMediumNull to DLT_NULL. So there are two ways now: 1) NdisMediumNull - DLT_NULL way, 2) NdisMediumLoopback  - DLT_LOOP way, will there be a third way like 3) NdisMediumLoopback - DLT_NULL? I didn't see any necessary connections between NdisMediumLoopback and DLT_LOOP except the shared word "loop"?
 
Note that Wireshark would still display the raw value: I'm gonna update the array.
Any reason for not making the NULL/loopback mode default instead of the fake ethernet header?

I didn't make it default because Nmap (and Nping) doesn't work under DLT_NULL mode. I think I have tried possble modifications, see: http://seclists.org/nmap-dev/2015/q3/209 for details.
 I had a rough analysis and found that at least Nping lacks the code to handle the DLT_NULL traffic. It seems to just view the received response as an Ethernet packet. And I doubt whether other tools like NetScanTools can handle this right.

Cheers,
yang