Re: Npcap 0.04 call for test

[Yang Luo <hsluoyb () gmail com>]

Hi Pascal,

On Mon, Aug 24, 2015 at 4:19 PM, Pascal Quantin <pascal.quantin () gmail com>
wrote:

> Hi Yang,
>
> any reason for not using NdisMediumLoopback that is defined since Vista
> according to
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx
> ? Maybe it would make sense to switch to DLT_LOOPBACK in that case (in that
> case the packet type must be put in network order).

I knew there's a type named NdisMediumLoopback, MSDN said it "Specifies an
NDIS loopback network.". I didn't use this value because I think
NdisMediumLoopback provided by Microsoft doesn't mean what we understood
it, like UNIX/Linux's loopback. In fact, NDIS never see or handle the
loopback traffic, loopback packets like ICMP ones sent by "ping 127.0.0.1"
never goes to NDIS layer. They are handled in TCP/IP stack (see
http://stackoverflow.com/questions/18164876/is-it-possible-to-capture-localhost-packets-127-0-0-1-as-destination-in-ndis-l?rq=1).
Npcap used dirty ways (WFP) to make this happen. So I think
NdisMediumLoopback means something else that Microsoft wants it to mean,
however I didn't find much information about it except MSDN explanation and
didn't know what actually it is used for.

Another reason is that the original WinPcap (wpcap.dll) doesn't support the
mapping from NdisMediumLoopback to DLT_LOOP, but it has the mapping
from NdisMediumNull to DLT_NULL. So there are two ways now: 1)
NdisMediumNull - DLT_NULL way, 2) NdisMediumLoopback  - DLT_LOOP way, will
there be a third way like 3) NdisMediumLoopback - DLT_NULL? I didn't see
any necessary connections between NdisMediumLoopback and DLT_LOOP except
the shared word "loop"?


> Note that Wireshark would still display the raw value: I'm gonna update
> the array.
> Any reason for not making the NULL/loopback mode default instead of the
> fake ethernet header?

I didn't make it default because Nmap (and Nping) doesn't work under
DLT_NULL mode. I think I have tried possble modifications, see:
http://seclists.org/nmap-dev/2015/q3/209 for details.
 I had a rough analysis and found that at least Nping lacks the code to
handle the DLT_NULL traffic. It seems to just view the received response as
an Ethernet packet. And I doubt whether other tools like NetScanTools can
handle this right.

Cheers,
yang

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe