Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Mon, 24 Aug 2015 12:34:22 +0200


Le 24 août 2015 12:19 PM, "Yang Luo" <hsluoyb@xxxxxxxxx> a écrit :
>
> Hi Pascal,
>
> On Mon, Aug 24, 2015 at 4:19 PM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:
>>
>>
>>
>> Hi Yang,
>>
>> any reason for not using NdisMediumLoopback that is defined since Vista according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx ? Maybe it would make sense to switch to DLT_LOOPBACK in that case (in that case the packet type must be put in network order).
>
>
> I knew there's a type named NdisMediumLoopback, MSDN said it "Specifies an NDIS loopback network.". I didn't use this value because I think NdisMediumLoopback provided by Microsoft doesn't mean what we understood it, like UNIX/Linux's loopback. In fact, NDIS never see or handle the loopback traffic, loopback packets like ICMP ones sent by "ping 127.0.0.1" never goes to NDIS layer. They are handled in TCP/IP stack (see http://stackoverflow.com/questions/18164876/is-it-possible-to-capture-localhost-packets-127-0-0-1-as-destination-in-ndis-l?rq=1). Npcap used dirty ways (WFP) to make this happen. So I think NdisMediumLoopback means something else that Microsoft wants it to mean, however I didn't find much information about it except MSDN explanation and didn't know what actually it is used for.
>
> Another reason is that the original WinPcap (wpcap.dll) doesn't support the mapping from NdisMediumLoopback to DLT_LOOP, but it has the mapping from NdisMediumNull to DLT_NULL. So there are two ways now: 1) NdisMediumNull - DLT_NULL way, 2) NdisMediumLoopback  - DLT_LOOP way, will there be a third way like 3) NdisMediumLoopback - DLT_NULL? I didn't see any necessary connections between NdisMediumLoopback and DLT_LOOP except the shared word "loop"?

Thanks for the clarification.
I did not find any NdisMediumNull definition in ntddndis.h file (I assume this is something you defined locally for convenience), that's why I suggested the NdisMediumLoopback value without double checking its exact meaning.

>  
>>
>> Note that Wireshark would still display the raw value: I'm gonna update the array.
>> Any reason for not making the NULL/loopback mode default instead of the fake ethernet header?
>
>
> I didn't make it default because Nmap (and Nping) doesn't work under DLT_NULL mode. I think I have tried possble modifications, see: http://seclists.org/nmap-dev/2015/q3/209 for details.
>  I had a rough analysis and found that at least Nping lacks the code to handle the DLT_NULL traffic. It seems to just view the received response as an Ethernet packet. And I doubt whether other tools like NetScanTools can handle this right.
>
> Cheers,
> yang
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe