Wireshark mailing list archives
Re: Npcap 0.04 call for test
From: Yang Luo <hsluoyb () gmail com>
Date: Wed, 19 Aug 2015 12:50:46 +0800
Hi Jim, Current fake Ethernet encapsulation of Npcap refers to the Linux implementation (actually is Ubuntu, as I am only familiar with it for a Linux system). I don't own a OS X computer now so I can't test or use it. One question is is NULL/Loopback encapsulation a widespread protocol standard like Ethernet? Also What I am worried about is that is NULL/Loopback encapsulation type compatible with other softwares? Like Nmap, NetScanTools, etc. I don't know if they have a smart dissector like packet-null.c in Wireshark to tell it's a loopback packet coming. Moreover, I found a link: https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion. It seems that some softwares did have problem with NULL/Loopback encapsulation, so could you tell me the advantages of this method except saving 10 bytes (Ethernet is 14 bytes without the checksum)? Thanks. Cheers, Yang On Wed, Aug 19, 2015 at 1:45 AM, Guy Harris <guy () alum mit edu> wrote:
On Aug 18, 2015, at 9:22 AM, Jim Young <jyoung () gsu edu> wrote:Instead of supplying an ethernet header with the mac addresses of allzeros, would it make more sense to supply a NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface? It looks as if the loopback interface supplies only IPv4 and IPv6 packets. In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work. For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP datagram. For DLT_NULL, the 4-byte header is in the byte order of the host on which the capture is being done; for DLT_LOOP, it's in network byte order. The value is 2 for IPv4 and, for IPv6: 24 for OpenBSD, NetBSD, and BSD/OS; 28 for FreeBSD; 30 for OS X and iOS; 10 for Linux; 26 for Solaris; 23 for Windows; because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't define AF_INET6, so everybody ran off and defined it differently. For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet looks at the version number in the IP header to determine whether it's IPv4 or IPv6. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Npcap 0.04 call for test, (continued)
- Re: Npcap 0.04 call for test Yang Luo (Aug 18)
- Re: Npcap 0.04 call for test Pascal Quantin (Aug 18)
- Re: Npcap 0.04 call for test Jim Young (Aug 16)
- Re: Npcap 0.04 call for test Guy Harris (Aug 16)
- Re: Npcap 0.04 call for test Yang Luo (Aug 16)
- Re: Npcap 0.04 call for test Yang Luo (Aug 16)
- Re: Npcap 0.04 call for test Jim Young (Aug 18)
- Re: Npcap 0.04 call for test Yang Luo (Aug 18)
- Re: Npcap 0.04 call for test Jim Young (Aug 18)
- Re: Npcap 0.04 call for test Guy Harris (Aug 18)
- Re: Npcap 0.04 call for test Yang Luo (Aug 18)
- Re: Npcap 0.04 call for test Guy Harris (Aug 18)
- Re: Npcap 0.04 call for test Yang Luo (Aug 19)
- Re: Npcap 0.04 call for test Yang Luo (Aug 21)
- Re: Npcap 0.04 call for test Pascal Quantin (Aug 22)
- Re: Npcap 0.04 call for test Guy Harris (Aug 22)
- Re: Npcap 0.04 call for test Graham Bloice (Aug 23)
- Re: Npcap 0.04 call for test Guy Harris (Aug 23)
- Re: Npcap 0.04 call for test Yang Luo (Aug 23)
- Re: Npcap 0.04 call for test Pascal Quantin (Aug 24)
- Re: Npcap 0.04 call for test Guy Harris (Aug 24)
- Re: Npcap 0.04 call for test Guy Harris (Aug 16)