RE: npcap doesn't work with wireshark..

["Maayan, Elhanan" <Elhanan.Maayan () sbdinc com>]

Ok, I'm on a  corporate machine, so I'm kinda limited in what I can disable , the windows firewall is turned off by 
default, but I do have ESET endpoint antivirus, as for network adapters, I have 2 VMware Network adapters and one 
Bluetooth network connection,

Do you happen to know if any of those has a history with npcap?
Note, I also tried using RawCap, and it capture packet file does show loopback traffic (enclosed) , I would imagine 
this is the exact traffic i should see live using npcap,


From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: Thursday, April 14, 2016 7:19 PM
To: Maayan, Elhanan
Cc: dev () nmap org
Subject: Re: npcap doesn't work with wireshark..




On Thu, Apr 14, 2016 at 11:59 PM, Maayan, Elhanan <Elhanan.Maayan () sbdinc com<mailto:Elhanan.Maayan () sbdinc com>> 
wrote:
That's exactly what I did, what am I doing wrong?

OK. Right command. Then it should be the following condition:

I believe that you have installed some conflicting software, like VPN, anti-virus, firewall.
You can uninstall them and try Npcap again.

Another way is to first trying Npcap on a fresh OS. It should work. Then add your current softwares one by one to see 
which software triggers this issue.



The problem what our software, is that you cannot tell it to use 127.0.0.1 you have to actually provide your machine's 
ip , I've already read the npcap on github, perhaprs I misunderstood it.

It doesn't matter. Whether a packet is **LOOPBACK** (aka captured by Npcap Loopback Adapter) is not determined by if 
packet src or dst IP is 127.0.0.1 or ::1. It's determined by whether the packet is actually still in the current 
machine's TCP/IP stack.
For example, you have a physical Ethernet card with IP 192.168.0.105.
Then you run "ping 192.168.0.105" on the host, you will not capture the corresponding ICMP packets on the Ethernet 
card. Instead, you will see the packets by capturing on Npcap Loopback Adapter. Because these ICMP packets are targeted 
for the localhost and never go out of the machine.
This is because Npcap Loopback Adapter is essentially NOT an adapter, it's the Windows TCP/IP stack itself.

So go back to your question, your software can communicate with each other using any IP of local machine adapters. They 
are ALL loopback packets.


Cheers,
Yang


[cid:image001.png@01D19683.4E8890B0]

From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com<mailto:hsluoyz () gmail com>]
Sent: Thursday, April 14, 2016 6:51 PM

To: Maayan, Elhanan
Cc: dev () nmap org<mailto:dev () nmap org>
Subject: Re: npcap doesn't work with wireshark..



On Thu, Apr 14, 2016 at 11:38 PM, Maayan, Elhanan <Elhanan.Maayan () sbdinc com<mailto:Elhanan.Maayan () sbdinc com>> 
wrote:
Ok, so let me ask you this,

1.       How do I check the loop adapter works for wireshark? (i.e which address can I send the ping , so it would show 
on wirshark? )
If you run "ping 127.0.0.1" in CMD, you should see ICMP request and response packets in Wireshark when captured on 
"Npcap Loopback Adapter".
If you run "ping ::1" in CMD, you should see ICMPv6 request and response packets in Wireshark when captured on "Npcap 
Loopback Adapter".


2.       How can I configure both our software so they would run the traffic through loopback adapter to show the 
tarrfic?

The answer is: you DON'T need to configure your software.

If you have a software, like a server and a client. The server and the client are resident in the same host and they 
communicate with each other (using socket or whatever). Their packets will definitely and automatically go to the Npcap 
Loopback Adapter.
If you want to know why, you can read the "For softwares that uses Npcap loopback feature" part in 
https://github.com/nmap/npcap/ README and google some stuff about Windows TCP/IP stack.


Cheers,
Yang



From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com<mailto:hsluoyz () gmail com>]
Sent: Thursday, April 14, 2016 6:25 PM
To: Maayan, Elhanan
Cc: dev () nmap org<mailto:dev () nmap org>
Subject: Re: npcap doesn't work with wireshark..

Hi Maayan,

On Thu, Apr 14, 2016 at 10:11 PM, Maayan, Elhanan <Elhanan.Maayan () sbdinc com<mailto:Elhanan.Maayan () sbdinc com>> 
wrote:

I'm using 14 version, on win 7 64x I'm using ping for the ip loopback.
I don't know what does you refer to as "ip loopback". Why not just say 127.0.0.1 (for IPv4) and ::1 (for IPv6)? These 
are publicly known and the only loopback IPs.
So your ping command will be definitely
"ping 127.0.0.1" or "ping ::1"

I hope you doesn't think 169.x.x.x is a loopback IP.



There no packets coming on that interface on wireshark



The original intent was to let wireshark display packets coming from one software to another on the same machine.

I've almost had it i think on version 13....but the wireshark only displayed packets coming from one end but the other 
did not get them.

I think this was due that originally both software ends were configured to the machine's ip, and from what i understand 
they need to be configured for 169.x.x. ip of ms loopback
There is NO relations between what Npcap Loopback Adapter actually shows you and the fake IP (169.x.x.x) of Npcap 
Loopback Adapter recognized by Windows (like ipconfig command).
So you can't believe a single bit shown by Windows's ipconfig for Npcap Loopback Adapter.

But version 14 doesn't display anything
I have tested Npcap 0.06 R14, the loopback capture works well.
I believe that you have installed some conflicting software, like VPN, anti-virus, firewall.
You can uninstall them and try Npcap again.


Cheers,
Yang







Hi Maayan,

I think you are using npcap-nmap-0.06-r14.exe? What's your OS? Is it a x86 or x64?

And what's your ping command? (I guess you should be aware of using "ping 127.0.0.1" or "ping ::1")

If you didn't see the ICMP and ICMPv6 packets, then does Npcap capture any other packets on "Npcap Loopback Adapter"? 
You can attach the capture file (.pcapng) in the reply.


Cheers,
Yang



On Sun, Apr 10, 2016 at 3:44 AM, Maayan, Elhanan <Elhanan.Maayan () sbdinc com<mailto:Elhanan.Maayan () sbdinc com>> 
wrote:
Hi..

I tried downloading the latest version (n14) and use wireshark 2.0.2, but even ping doesn’t' seem to register anything 
in wireshark (I do see the loopback adapter, and told wireshark to capture packets only from it)

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Attachment: dumpfile.pcap
Description: dumpfile.pcap

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/