Hi list,
We currently found an issue about the DLT_NULL (thanks to Dan): the pcap filters do not work for IPv6 traffic over Npcap Loopback Adapter (with DLT_NULL option enabled). If I specify a filter like "ip6" in Wireshark and capture on Npcap Loopback Adapter, it turns out that there won't be any packets captured, even if I ping localhost with "ping ::1". And installing Npcap with DLT_NULL option disabled or specifying a IPv4 related filter doesn't cause this issue.
We found this issue is caused by the IPv6's value in DLT_NULL. The current implementation of Npcap is using 24 (the same as OpenBSD, NetBSD, and BSD/OS) to represent IPv6 in DLT_NULL header. The following code is defined in Npcap's driver:
/*
* Types in a DLT_NULL (Loopback) header.
*/
#define DLTNULLTYPE_IP 0x00000002 /* IP protocol */
#define DLTNULLTYPE_IPV6 0x00000018 /* IPv6 */
What Npcap defined is currently consistent with Wireshark. Wireshark defines 3 values for DLT_NULL's IPv6 here:
/* Family values. */
static const value_string family_vals[] = {
{BSD_AF_INET, "IP" },
{BSD_AF_ISO, "OSI" },
{BSD_AF_APPLETALK, "Appletalk" },
{BSD_AF_IPX, "Netware IPX/SPX"},
{BSD_AF_INET6_BSD, "IPv6" },
{BSD_AF_INET6_FREEBSD, "IPv6" },
{BSD_AF_INET6_DARWIN, "IPv6" },
{0, NULL }
};
BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet.
In WinSock2.h (Windows's socket.h), the PF_ value is defined as:
#define PF_INET6 AF_INET6
And AF_INET6 is defined in ws2def.h (in Windows SDK) as:
#define AF_INET6 23 // Internetwork Version 6
#define BSD_AF_IPX 23
So I just don't know how to solve it. Any opinions?
Cheers,
Yang