New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap: arp packet sent to myself cannot be responsed #1343

Open
ZacharyJia opened this Issue Oct 6, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@ZacharyJia

ZacharyJia commented Oct 6, 2018

Hello there,
I am using npcap for sending raw ethernet packets, but I've found there are some problems when I send an ARP response to myself. I ping a specific IP address in my computer and my computer send a broadcast arp request. And then I construct a fake arp response packet from my computer and send it to myself. I can see from wireshark that the packet has been sent but my computer seems not receiving that packet and are still sending arp requests. I have tried to send arp request from another computer and reply arp response from my computer, and it works. I do the same thing with winpcap and it works too.
Is this a bug or a feature that I cannot send packet to myself? Are there any solution?
My npcap version is 0.99-r7 and my os is win10 build 10.0.17134.320
Thanks a lot.

@ZacharyJia ZacharyJia changed the title from Npcap: send arp packet to myself cannot be responsed to Npcap: arp packet sent to myself cannot be responsed Oct 6, 2018

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Oct 6, 2018

I'm going to give my best guess as to why this is the case, but maybe @hsluoyz can comment on whether I am correct.

Loopback traffic is IP (network layer) only, and does not use Ethernet as a link layer. ARP is a link-layer protocol used to resolve network (IP) addresses. While older Npcap releases used a fake Ethernet header for injected and received Loopback packets, newer ones default to a BSD-style NULL link header to make this more clear; the only information accepted from this header is the network protocol number (0x2 = IPv4 or 0x18 = IPv6). Because of the way Windows treats IP traffic for any configured network address as loopback traffic, it is not possible to send an ARP request or response to yourself.

dmiller-nmap commented Oct 6, 2018

I'm going to give my best guess as to why this is the case, but maybe @hsluoyz can comment on whether I am correct.

Loopback traffic is IP (network layer) only, and does not use Ethernet as a link layer. ARP is a link-layer protocol used to resolve network (IP) addresses. While older Npcap releases used a fake Ethernet header for injected and received Loopback packets, newer ones default to a BSD-style NULL link header to make this more clear; the only information accepted from this header is the network protocol number (0x2 = IPv4 or 0x18 = IPv6). Because of the way Windows treats IP traffic for any configured network address as loopback traffic, it is not possible to send an ARP request or response to yourself.

@hsluoyz

This comment has been minimized.

Show comment
Hide comment
@hsluoyz

hsluoyz Oct 7, 2018

Member

I'm curious that why WinPcap works. Neither of WinPcap and Npcap handles ARP loopback traffic specially. WinPcap is a NDIS 5 Protocol driver, Npcap is a NDIS 6 Filter driver. This may be the point.

I can think of several ways to solve it:

  1. Adjust the layer of Npcap filter driver. Maybe in a suitable layer, Npcap can work like WinPcap. Here to adjust: https://github.com/nmap/npcap/blob/a8982716bd2d7a080b43aeb97507a681f48dacee/packetWin7/npf/npf/npcap.inf#L113

  2. Add a new data-link layer WFP callout mechanism to capture/send ARP loopback traffic, just like how IP loopback is handled now. But it requires certain development.

Member

hsluoyz commented Oct 7, 2018

I'm curious that why WinPcap works. Neither of WinPcap and Npcap handles ARP loopback traffic specially. WinPcap is a NDIS 5 Protocol driver, Npcap is a NDIS 6 Filter driver. This may be the point.

I can think of several ways to solve it:

  1. Adjust the layer of Npcap filter driver. Maybe in a suitable layer, Npcap can work like WinPcap. Here to adjust: https://github.com/nmap/npcap/blob/a8982716bd2d7a080b43aeb97507a681f48dacee/packetWin7/npf/npf/npcap.inf#L113

  2. Add a new data-link layer WFP callout mechanism to capture/send ARP loopback traffic, just like how IP loopback is handled now. But it requires certain development.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment