Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Npcap 0.04 call for test

From: Yang Luo <hsluoyb () gmail com>
Date: Wed, 19 Aug 2015 12:50:46 +0800
Hi Jim,

Current fake Ethernet encapsulation of Npcap refers to the Linux
implementation (actually is Ubuntu, as I am only familiar with it for a
Linux system). I don't own a OS X computer now so I can't test or use it.
One question is is NULL/Loopback encapsulation a widespread protocol
standard like Ethernet? Also What I am worried about is that is
NULL/Loopback encapsulation type compatible with other softwares? Like
Nmap, NetScanTools, etc. I don't know if they have a smart dissector like
packet-null.c in Wireshark to tell it's a loopback packet coming.

Moreover, I found a link:
https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion.
It seems that some softwares did have problem with NULL/Loopback
encapsulation, so could you tell me the advantages of this method except
saving 10 bytes (Ethernet is 14 bytes without the checksum)? Thanks.

Cheers,
Yang


On Wed, Aug 19, 2015 at 1:45 AM, Guy Harris <guy () alum mit edu> wrote:



On Aug 18, 2015, at 9:22 AM, Jim Young <jyoung () gsu edu> wrote:


Instead of supplying an ethernet header with the mac addresses of all

zeros, would it make more sense to supply a NULL/Loopback encapsulation
type to packets captured in the Npcap LoopBack Interface?

It looks as if the loopback interface supplies only IPv4 and IPv6 packets.

In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.

For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the
IP datagram.  For DLT_NULL, the 4-byte header is in the byte order of the
host on which the capture is being done; for DLT_LOOP, it's in network byte
order.  The value is 2 for IPv4 and, for IPv6:

        24 for OpenBSD, NetBSD, and BSD/OS;
        28 for FreeBSD;
        30 for OS X and iOS;
        10 for Linux;
        26 for Solaris;
        23 for Windows;

because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet,
didn't define AF_INET6, so everybody ran off and defined it differently.

For DLT_RAW, the packet begins with the IP datagram; code to dissect the
packet looks at the version number in the IP header to determine whether
it's IPv4 or IPv6.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: