[Npcap] LoopbackInterface not correctly registered on Windows 7

[gpotter2]

Hello,

I have ran several tests on a Windows 7 machine, with a fresh install of Npcap 0.99-r7 (there never was a Npcap before). I installed it with default options + support for raw 802.11

In scapy, we need (now uses the DLLs directly) needed at some point to get the GUID of all interfaces through Microsoft Powershell.

Issue:
The interface GUID of the loopback interface is missing from the result of Get-WmiObject Win32_NetworkAdapter | select * | fl

see https://pastebin.com/qRVp8USX (the npcap interface + one working interface)

I'm able to fallback with an ugly

PS> Get-WmiObject Win32_NetworkAdapter | select Name, DeviceID

Name                                    DeviceID
----                                    --------
WAN Miniport (SSTP)                     0
[..stuff..]
Teredo Tunneling Pseudo-Interface       11
Npcap Loopback Adapter                  12
Realtek PCIe GBE Family Controller      13
TRENDnet N150 Wireless PCI Adapter      14
Carte Microsoft 6to4                    15

followed by a

# 12 is the DeviceID of the Npcap Loopback Adapter. The NetworkCard associated to N is N+1
PS> $key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" + (12 + 1)
PS > Get-ItemProperty -Path $key | select ServiceName

ServiceName
-----------
{29D40EEE-C86A-44BA-82DB-39644596E23D}

But I don't understand why this value would be missing only on the Npcap Loopback Interface, and not the others :/

Side note
On Windows 10, we use Get-NetAdapter | select InterfaceDescription, InterfaceGuid (simplified), which does not have this issue.

[dmiller-nmap]

I need to investigate this, but here are some related issues: #1284, #653.

We have had requests from users and paying licensees to both make the Loopback Adapter show up in these API functions and to be hidden from ordinary users. I am not sure how much of these issues are due to ordinary behavior of the Microsoft KM-TEST loopback adapter that the Npcap Loopback Adapter is built on or how much is due to the additional keywords we set in an attempt to be very clear that this is a software-only loopback adapter that does not have an IP configuration of its own.

[gpotter2]

About #1284:

• the loopback adapter (and its GUID) correctly appears with a pcap_findalldevs, which is surely why wireshark detects it
• scapy needs the routes associated with an interface to mark it as valid, otherwise it ignores it. That's why its not in scapy (we use the GUID to match the npcap interface and its routes)

Thank you for looking into it

[dmiller-nmap]

Ok, I have some findings, which I came up with by comparing Windows 7 (affected) and Windows 10 (unaffected):

• When installing the Microsoft Loopback Adapter (MSLOOP), upon which the Npcap Loopback Adapter is based, both Windows 7 and Windows 10 presented a GUID using the command you listed.
• On both Windows 7 and 10, the MSLOOP adapter had a value of True for the PhysicalAdapter property.
• The Npcap adapter had a value of True for PhysicalAdapter on Windows 10, but False on Windows 7.
• The values of the NDIS additional keywords in the Npcap Loopback Adapter's Registry key (HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\<adapter id number>) are as follows:
  • Windows 10: *IfType = 0x6, *MediaType = 0x0, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0
  • Windows 7: *IfType = 0x18, *MediaType = 0x11, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0

I believe, but will have to check, that the Windows 7 values for these additional keywords are the ones we are trying to set, but that Windows 10 has reverted them to default values in every case except *NdisDeviceType (which is the most important). I'll have to do more testing and research to see if removing the other additional keywords will result in a more consistent presentation of the Adapter in all Windows versions, without introducing regressions.

[dmiller-nmap]

We believe this issue was resolved in Npcap 0.99-r8 and 0.99-r9. @gpotter2 have you tried these releases, and do they solve the issue for you?

[gpotter2]

@dmiller-nmap Looks fixed to me ! Thanks for the support