New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Npcap] LoopbackInterface not correctly registered on Windows 7 #1368

Open
gpotter2 opened this Issue Oct 24, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@gpotter2

gpotter2 commented Oct 24, 2018

Hello,

I have ran several tests on a Windows 7 machine, with a fresh install of Npcap 0.99-r7 (there never was a Npcap before). I installed it with default options + support for raw 802.11

In scapy, we need at some point to get the GUID of all interfaces through Microsoft Powershell.

Issue:
The interface GUID of the loopback interface is missing from the result of Get-WmiObject Win32_NetworkAdapter | select * | fl

see https://pastebin.com/qRVp8USX (the npcap interface + one working interface)

I'm able to fallback with an ugly

PS> Get-WmiObject Win32_NetworkAdapter | select Name, DeviceID

Name                                    DeviceID
----                                    --------
WAN Miniport (SSTP)                     0
[..stuff..]
Teredo Tunneling Pseudo-Interface       11
Npcap Loopback Adapter                  12
Realtek PCIe GBE Family Controller      13
TRENDnet N150 Wireless PCI Adapter      14
Carte Microsoft 6to4                    15

followed by a

# 12 is the DeviceID of the Npcap Loopback Adapter. The NetworkCard associated to N is N+1
PS> $key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" + (12 + 1)
PS > Get-ItemProperty -Path $key | select ServiceName

ServiceName
-----------
{29D40EEE-C86A-44BA-82DB-39644596E23D}

But I don't understand why this value would be missing only on the Npcap Loopback Interface, and not the others :/

Side note
On Windows 10, we use Get-NetAdapter | select InterfaceDescription, InterfaceGuid (simplified), which does not have this issue.

@dmiller-nmap

This comment has been minimized.

dmiller-nmap commented Oct 25, 2018

I need to investigate this, but here are some related issues: #1284, #653.

We have had requests from users and paying licensees to both make the Loopback Adapter show up in these API functions and to be hidden from ordinary users. I am not sure how much of these issues are due to ordinary behavior of the Microsoft KM-TEST loopback adapter that the Npcap Loopback Adapter is built on or how much is due to the additional keywords we set in an attempt to be very clear that this is a software-only loopback adapter that does not have an IP configuration of its own.

@gpotter2

This comment has been minimized.

gpotter2 commented Oct 25, 2018

About #1284:

  • the loopback adapter (and its GUID) correctly appears with a pcap_findalldevs, which is surely why wireshark detects it
  • scapy needs the routes associated with an interface to mark it as valid, otherwise it ignores it. That's why its not in scapy (we use the GUID to match the npcap interface and its routes)

Thank you for looking into it

@dmiller-nmap

This comment has been minimized.

dmiller-nmap commented Oct 25, 2018

Ok, I have some findings, which I came up with by comparing Windows 7 (affected) and Windows 10 (unaffected):

  • When installing the Microsoft Loopback Adapter (MSLOOP), upon which the Npcap Loopback Adapter is based, both Windows 7 and Windows 10 presented a GUID using the command you listed.
  • On both Windows 7 and 10, the MSLOOP adapter had a value of True for the PhysicalAdapter property.
  • The Npcap adapter had a value of True for PhysicalAdapter on Windows 10, but False on Windows 7.
  • The values of the NDIS additional keywords in the Npcap Loopback Adapter's Registry key (HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\<adapter id number>) are as follows:
    • Windows 10: *IfType = 0x6, *MediaType = 0x0, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0
    • Windows 7: *IfType = 0x18, *MediaType = 0x11, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0

I believe, but will have to check, that the Windows 7 values for these additional keywords are the ones we are trying to set, but that Windows 10 has reverted them to default values in every case except *NdisDeviceType (which is the most important). I'll have to do more testing and research to see if removing the other additional keywords will result in a more consistent presentation of the Adapter in all Windows versions, without introducing regressions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment