Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Npcap] LoopbackInterface not correctly registered on Windows 7 #1368

gpotter2 opened this issue Oct 24, 2018 · 5 comments

[Npcap] LoopbackInterface not correctly registered on Windows 7 #1368

gpotter2 opened this issue Oct 24, 2018 · 5 comments


Copy link

@gpotter2 gpotter2 commented Oct 24, 2018


I have ran several tests on a Windows 7 machine, with a fresh install of Npcap 0.99-r7 (there never was a Npcap before). I installed it with default options + support for raw 802.11

In scapy, we need (now uses the DLLs directly) needed at some point to get the GUID of all interfaces through Microsoft Powershell.

The interface GUID of the loopback interface is missing from the result of Get-WmiObject Win32_NetworkAdapter | select * | fl

see (the npcap interface + one working interface)

I'm able to fallback with an ugly

PS> Get-WmiObject Win32_NetworkAdapter | select Name, DeviceID

Name                                    DeviceID
----                                    --------
WAN Miniport (SSTP)                     0
Teredo Tunneling Pseudo-Interface       11
Npcap Loopback Adapter                  12
Realtek PCIe GBE Family Controller      13
TRENDnet N150 Wireless PCI Adapter      14
Carte Microsoft 6to4                    15

followed by a

# 12 is the DeviceID of the Npcap Loopback Adapter. The NetworkCard associated to N is N+1
PS> $key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" + (12 + 1)
PS > Get-ItemProperty -Path $key | select ServiceName


But I don't understand why this value would be missing only on the Npcap Loopback Interface, and not the others :/

Side note
On Windows 10, we use Get-NetAdapter | select InterfaceDescription, InterfaceGuid (simplified), which does not have this issue.

Copy link

@dmiller-nmap dmiller-nmap commented Oct 25, 2018

I need to investigate this, but here are some related issues: #1284, #653.

We have had requests from users and paying licensees to both make the Loopback Adapter show up in these API functions and to be hidden from ordinary users. I am not sure how much of these issues are due to ordinary behavior of the Microsoft KM-TEST loopback adapter that the Npcap Loopback Adapter is built on or how much is due to the additional keywords we set in an attempt to be very clear that this is a software-only loopback adapter that does not have an IP configuration of its own.

Copy link

@gpotter2 gpotter2 commented Oct 25, 2018

About #1284:

  • the loopback adapter (and its GUID) correctly appears with a pcap_findalldevs, which is surely why wireshark detects it
  • scapy needs the routes associated with an interface to mark it as valid, otherwise it ignores it. That's why its not in scapy (we use the GUID to match the npcap interface and its routes)

Thank you for looking into it

Copy link

@dmiller-nmap dmiller-nmap commented Oct 25, 2018

Ok, I have some findings, which I came up with by comparing Windows 7 (affected) and Windows 10 (unaffected):

  • When installing the Microsoft Loopback Adapter (MSLOOP), upon which the Npcap Loopback Adapter is based, both Windows 7 and Windows 10 presented a GUID using the command you listed.
  • On both Windows 7 and 10, the MSLOOP adapter had a value of True for the PhysicalAdapter property.
  • The Npcap adapter had a value of True for PhysicalAdapter on Windows 10, but False on Windows 7.
  • The values of the NDIS additional keywords in the Npcap Loopback Adapter's Registry key (HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\<adapter id number>) are as follows:
    • Windows 10: *IfType = 0x6, *MediaType = 0x0, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0
    • Windows 7: *IfType = 0x18, *MediaType = 0x11, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0

I believe, but will have to check, that the Windows 7 values for these additional keywords are the ones we are trying to set, but that Windows 10 has reverted them to default values in every case except *NdisDeviceType (which is the most important). I'll have to do more testing and research to see if removing the other additional keywords will result in a more consistent presentation of the Adapter in all Windows versions, without introducing regressions.

Copy link

@dmiller-nmap dmiller-nmap commented Jan 24, 2019

We believe this issue was resolved in Npcap 0.99-r8 and 0.99-r9. @gpotter2 have you tried these releases, and do they solve the issue for you?

Copy link

@gpotter2 gpotter2 commented Feb 8, 2019

@dmiller-nmap Looks fixed to me ! Thanks for the support

@gpotter2 gpotter2 closed this Feb 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants