Re: npcap doesn't work with wireshark..

[食肉大灰兔V5 <hsluoyz () gmail com>]

On Thu, Apr 14, 2016 at 11:59 PM, Maayan, Elhanan <Elhanan.Maayan () sbdinc com
> wrote:

> That's exactly what I did, what am I doing wrong?

OK. Right command. Then it should be the following condition:

*I believe that you have installed some conflicting software, like VPN,
anti-virus, firewall.*
*You can uninstall them and try Npcap again.*

Another way is to first trying Npcap on a fresh OS. It should work. Then
add your current softwares one by one to see which software triggers this
issue.


> The problem what our software, is that you cannot tell it to use 127.0.0.1
> you have to actually provide your machine's ip , I've already read the
> npcap on github, perhaprs I misunderstood it.

It doesn't matter. Whether a packet is **LOOPBACK** (aka captured by Npcap
Loopback Adapter) is not determined by if packet src or dst IP is 127.0.0.1
or ::1. It's determined by whether the packet is actually still in the
current machine's TCP/IP stack.
For example, you have a physical Ethernet card with IP 192.168.0.105.
Then you run "ping 192.168.0.105" on the host, you will not capture the
corresponding ICMP packets on the Ethernet card. Instead, you will see the
packets by capturing on Npcap Loopback Adapter. Because these ICMP packets
are targeted for the localhost and never go out of the machine.
This is because Npcap Loopback Adapter is essentially NOT an adapter, it's
the Windows TCP/IP stack itself.

So go back to your question, your software can communicate with each other
using any IP of local machine adapters. They are ALL loopback packets.


Cheers,
Yang


> *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
> *Sent:* Thursday, April 14, 2016 6:51 PM
>
> *To:* Maayan, Elhanan
> *Cc:* dev () nmap org
> *Subject:* Re: npcap doesn't work with wireshark..
>
>
>
>
>
>
>
> On Thu, Apr 14, 2016 at 11:38 PM, Maayan, Elhanan <
> Elhanan.Maayan () sbdinc com> wrote:
>
> Ok, so let me ask you this,
>
> 1.       How do I check the loop adapter works for wireshark? (i.e which
> address can I send the ping , so it would show on wirshark? )
>
> If you run "ping 127.0.0.1" in CMD, you should see ICMP request and
> response packets in Wireshark when captured on "Npcap Loopback Adapter".
>
> If you run "ping ::1" in CMD, you should see ICMPv6 request and response
> packets in Wireshark when captured on "Npcap Loopback Adapter".
>
>
>
> 2.       How can I configure both our software so they would run the
> traffic through loopback adapter to show the tarrfic?
>
>
>
> The answer is: you DON'T need to configure your software.
>
>
>
> If you have a software, like a server and a client. The server and the
> client are resident in the same host and they communicate with each other
> (using socket or whatever). Their packets will definitely and automatically
> go to the Npcap Loopback Adapter.
>
> If you want to know why, you can read the "For softwares that uses Npcap
> loopback feature" part in https://github.com/nmap/npcap/ README and
> google some stuff about Windows TCP/IP stack.
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
>
>
>
>
> *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
> *Sent:* Thursday, April 14, 2016 6:25 PM
> *To:* Maayan, Elhanan
> *Cc:* dev () nmap org
> *Subject:* Re: npcap doesn't work with wireshark..
>
>
>
> Hi Maayan,
>
>
>
> On Thu, Apr 14, 2016 at 10:11 PM, Maayan, Elhanan <
> Elhanan.Maayan () sbdinc com> wrote:
>
> I'm using 14 version, on win 7 64x I'm using ping for the ip loopback.
>
> I don't know what does you refer to as "ip loopback". Why not just say
> 127.0.0.1 (for IPv4) and ::1 (for IPv6)? These are publicly known and the
> only loopback IPs.
>
> So your ping command will be definitely
>
> "ping 127.0.0.1" or "ping ::1"
>
>
>
> I hope you doesn't think 169.x.x.x is a loopback IP.
>
>
>
> There no packets coming on that interface on wireshark
>
>
>
> The original intent was to let wireshark display packets coming from one software to another on the same machine.
>
> I've almost had it i think on version 13....but the wireshark only displayed packets coming from one end but the 
> other did not get them.
>
> I think this was due that originally both software ends were configured to the machine's ip, and from what i 
> understand they need to be configured for 169.x.x. ip of ms loopback
>
> There is NO relations between what Npcap Loopback Adapter actually shows
> you and the fake IP (169.x.x.x) of Npcap Loopback Adapter recognized by
> Windows (like ipconfig command).
>
> So you can't believe a single bit shown by Windows's ipconfig for Npcap
> Loopback Adapter.
>
> But version 14 doesn't display anything
>
> I have tested Npcap 0.06 R14, the loopback capture works well.
>
> I believe that you have installed some conflicting software, like VPN,
> anti-virus, firewall.
>
> You can uninstall them and try Npcap again.
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
>
>
>
>
>
>
> Hi Maayan,
>
>
>
> I think you are using npcap-nmap-0.06-r14.exe? What's your OS? Is it a x86
> or x64?
>
>
>
> And what's your ping command? (I guess you should be aware of using "ping
> 127.0.0.1" or "ping ::1")
>
>
>
> If you didn't see the ICMP and ICMPv6 packets, then does Npcap capture any
> other packets on "Npcap Loopback Adapter"? You can attach the capture file
> (.pcapng) in the reply.
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
>
>
>
>
> On Sun, Apr 10, 2016 at 3:44 AM, Maayan, Elhanan <
> Elhanan.Maayan () sbdinc com> wrote:
>
> Hi..
>
>
>
> I tried downloading the latest version (n14) and use wireshark 2.0.2, but
> even ping doesn’t' seem to register anything in wireshark (I do see the
> loopback adapter, and told wireshark to capture packets only from it)
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/