Re: FW: [Bulk] Use of npcap in automation system

[食肉大灰兔V5 <hsluoyz () gmail com>]

Hi Ferreira,

What do you mean by saying "*TCP/IP is not active*"? You mean disabling the
connection in ncpa.cpl? And does this issue occur on WinPcap 4.1.3 too or
just Npcap's problem?
And have you tried latest Npcap 0.05 r4 in
https://github.com/nmap/npcap/releases?


Cheers,
Yang



On Fri, Jan 8, 2016 at 7:44 PM, Nuno Antonio Dias Ferreira <
nuno.ferreira () efacec com> wrote:

> Hi Yang,
>
> First of all, sorry about I haven’t give you feedback since October but I
> was away of this project I couldn’t do any more  tests. Now I resumed it
> and I hope you can help me to put this to work. I’m facing a problem now
> because pcap_findalldevs does not list network interfaces where TCP/IP is
> not active. That is absolute necessary for my application because witouht
> that I can’t open them using pcap_open. Can you help understand why. After
> that I need to put my app reading and writing in raw in the respective
> adapters.
>
> Here I present a diagram where you can how my app works:
>
> [cid:image002.png@01D14A08.797F6180]
>
> Basically the physical adapters are the Ethernet ports on my device and
> they are connected to the exterior network. Once the physical one is good
> it is responsible to receive packet from the exterior and forward to the
> virtual and vice versa. Once it falis physical 2 will be responsible for
> that task.
>
> Melhores Cumprimentos / Best Regards
> Nuno Antonio Dias Ferreira
> Unidade de Automação de Sistemas de Energia / Power System Automation Unit
> Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
> Phone: 229403363
> [EFA Logo]
> Disclaimer<http://efacec.com/email.jpg>
>
> From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
> Sent: 7 de outubro de 2015 09:12
> To: Nuno Antonio Dias Ferreira <nuno.ferreira () efacec com<mailto:
> nuno.ferreira () efacec com>>
> Subject: Re: [Bulk] Use of npcap in automation system
>
> Hi Ferreira,
>
> I still didn't quite understand why I failed to reproduce this issue, but
> this usage corresponds to Microsoft's NDIS_FLAGS_DONT_LOOPBACK flag and it
> is never well documented. Whatever, this only matters with the NDIS 5's
> legacy, and we can forget about it.
>
> that If I am understanding it right, you want your program not to see the
> packets sent out by itself, in other words, the sending program is also the
> receiving program right?
> If yes, then you can try Npcap 0.05 version at:
> https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.05.exe
> And let me know the result.
>
> Actually, this functionality can be easily implemented by Npcap, because
> the three packet flowing paths: receive, other-send, self-send are totally
> separated in Npcap, so it's convenient to only restrict the self-send path
> using flag.
>
> Remember: other softwares can still see all possible traffic, for
> instance, your software disabled the loopback packets using
> PCAP_OPENFLAGS_NOCAPTURE_LOCAL, then your software no longer sees the
> self-sent packets, but another software like Wireshark can still see them,
> because they're not "self" sent.
>
>
> Cheers,
> Yang
>
>
> On Tue, Oct 6, 2015 at 10:24 PM, Nuno Antonio Dias Ferreira <
> nuno.ferreira () efacec com<mailto:nuno.ferreira () efacec com>> wrote:
> Hi,
>
> My program is a kind of user space bridge. Basically I have a one physical
> interface (opened in promiscuous mode and PCAP_OPENFLAG_NOCAPTURE_LOCAL)
> bridged with one virtual. Every traffic received in the physical interface
> is forward to the virtual and vice-versa. I already followed the WinPcap’s
> mailing list and I found that after windows 8 does not support any more
> PCAP_OPENFLAG_NOCAPTURE_LOCAL due compatibility break with NDIS 5. As you
> can see in the following extract from their release notes (in bold):
>
> Version 4.1.3, 08 mar 13
> •         Added support for Windows 8 and Server 2012
> •         Removed the old CACE logo
> •         Bugfixes:
> •         Fixed a bug in the Just-In-Time compiler for BPF filters that
> could cause an OS crash when dealing with specially crafted LD instructions
> •         The BPF filter validation code was not properly validating
> division-by-zero DIV instructions.
> •         Known bugs:
> •         Transmitted packets are looped back on Windows 8 even when using
> the flag PCAP_OPENFLAGS_NOCAPTURE_LOCAL for pcap_open.
> •         pcap_dump_fopen is not supported.
>
> What I notice in my application is that all packets sent from my virtual
> interface no my physical are continuously looped back  putting my CPU
> consumption at 100%. So at this moment I’m looking for an alternative which
> might actually work.
>
> Melhores Cumprimentos / Best Regards
> Nuno Antonio Dias Ferreira
> Unidade de Automação de Sistemas de Energia / Power System Automation Unit
> Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
> Phone: 229403363
> [EFA Logo]
> Disclaimer<http://efacec.com/email.jpg>
>
> From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com<mailto:hsluoyz () gmail com>]
> Sent: 5 de outubro de 2015 18:03
> To: Gisle Vanem <gvanem () yahoo no<mailto:gvanem () yahoo no>>; Nuno Antonio
> Dias Ferreira <nuno.ferreira () efacec com<mailto:nuno.ferreira () efacec com>>;
> Nmap-dev <dev () nmap org<mailto:dev () nmap org>>
> Subject: Re: [Bulk] Use of npcap in automation system
>
> Hi Ferreira,
>
> First allow me to paste PCAP_OPENFLAG_NOCAPTURE_LOCAL's description here
> from winpcap's source:
> /*!
>             \brief Defines if the local adapter will capture its own
> generated traffic.
>
>             This flag tells the underlying capture driver to drop the
> packets that were sent by itself.
>             This is usefult when building applications like bridges, that
> should ignore the traffic
>             they just sent.
> */
> #define PCAP_OPENFLAG_NOCAPTURE_LOCAL     8
>
> I have tested the WinPcap 4.1.3's PCAP_OPENFLAG_NOCAPTURE_LOCAL flag of
> pcap_open against my Win 8.1 x64 VM and Win10 RTM x64 VM. Both conditions
> work as expected (I mean the packet sender will not receive his sent
> packets), other WinPcap's clients (like Wireshark) will still see the sent
> packets, which is also expected according to the explanation above. So I
> can't reproduce the failure you mentioned, could you provide a sample?
>
> For another thing, AFAIK, NDIS 6 is available since Vista, 6.2 for Win7,
> 6.3 for Win8 (
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff567893(v=vs.85).aspx).
> And there isn't quite much difference of NDIS between Win7 and Win8.
>
> /* disable loopback capture if requested */
> if(flags & PCAP_OPENFLAG_NOCAPTURE_LOCAL)
> {
>             if(!PacketSetLoopbackBehavior(fp->adapter,
> NPF_DISABLE_LOOPBACK))
>             {
>                         snprintf(errbuf, PCAP_ERRBUF_SIZE, "Unable to
> disable the capture of loopback packets.");
>                         pcap_close(fp);
>                         return NULL;
>             }
> }
>
> And what Gisle said is iterally right, because
> PCAP_OPENFLAG_NOCAPTURE_LOCAL flag is just implemented by
> PacketSetLoopbackBehavior (adapter, 1), so these two ways are totally
> identical. pcap_open() is not standard API but I don't think this is your
> problem.
>
>
> Cheers,
> Yang
>
>
> On Mon, Oct 5, 2015 at 4:46 PM, Gisle Vanem <gvanem () yahoo no<mailto:
> gvanem () yahoo no>> wrote:
> Nuno Antonio Dias Ferreira wrote:
> I am software developer of automation systems. Last year I develop an
> application to allow network redundancy where I
> was using WinPcap 4.1.3, that application is running well in Windows XP
> and Windows 7 but is not working in Windows (
> and above because of changes in NDIS 6. In my application I am opening
> Pcap handler with the flag
> PCAP_OPENFLAG_NOCAPTURE_LOCAL and that’s the reason why I can’t use my app
> in Windows 8. Can you tell me if your pcap has
> this feature implemented?
>
> The flag PCAP_OPENFLAG_NOCAPTURE_LOCAL is AFAICS a parameter to
> 'pcap_open()' which is not present in standard libpcap (unless the
> REMOTE-stuff is added).
>
> But the same feature can be enabled using:
>   PacketSetLoopbackBehavior (adapter, 1);
>
> Works fine under Win 8.1.
>
> --
> --gv
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/