Skip to content

[Npcap] LoopbackInterface not correctly registered on Windows 7 #1368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gpotter2 opened this issue Oct 24, 2018 · 5 comments
Closed

[Npcap] LoopbackInterface not correctly registered on Windows 7 #1368

gpotter2 opened this issue Oct 24, 2018 · 5 comments

Comments

@gpotter2
Copy link

gpotter2 commented Oct 24, 2018
edited
Loading

Hello,

I have ran several tests on a Windows 7 machine, with a fresh install of Npcap 0.99-r7 (there never was a Npcap before). I installed it with default options + support for raw 802.11

In scapy, we need (now uses the DLLs directly) needed at some point to get the GUID of all interfaces through Microsoft Powershell.

Issue:
The interface GUID of the loopback interface is missing from the result of Get-WmiObject Win32_NetworkAdapter | select * | fl

see https://pastebin.com/qRVp8USX (the npcap interface + one working interface)

I'm able to fallback with an ugly

PS> Get-WmiObject Win32_NetworkAdapter | select Name, DeviceID

Name                                    DeviceID
----                                    --------
WAN Miniport (SSTP)                     0
[..stuff..]
Teredo Tunneling Pseudo-Interface       11
Npcap Loopback Adapter                  12
Realtek PCIe GBE Family Controller      13
TRENDnet N150 Wireless PCI Adapter      14
Carte Microsoft 6to4                    15

followed by a

# 12 is the DeviceID of the Npcap Loopback Adapter. The NetworkCard associated to N is N+1
PS> $key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" + (12 + 1)
PS > Get-ItemProperty -Path $key | select ServiceName

ServiceName
-----------
{29D40EEE-C86A-44BA-82DB-39644596E23D}

But I don't understand why this value would be missing only on the Npcap Loopback Interface, and not the others :/

Side note
On Windows 10, we use Get-NetAdapter | select InterfaceDescription, InterfaceGuid (simplified), which does not have this issue.
@dmiller-nmap
Copy link

I need to investigate this, but here are some related issues: #1284, #653.

We have had requests from users and paying licensees to both make the Loopback Adapter show up in these API functions and to be hidden from ordinary users. I am not sure how much of these issues are due to ordinary behavior of the Microsoft KM-TEST loopback adapter that the Npcap Loopback Adapter is built on or how much is due to the additional keywords we set in an attempt to be very clear that this is a software-only loopback adapter that does not have an IP configuration of its own.

@gpotter2
Copy link
Author

gpotter2 commented Oct 25, 2018
edited
Loading

About #1284:

  • the loopback adapter (and its GUID) correctly appears with a pcap_findalldevs, which is surely why wireshark detects it
  • scapy needs the routes associated with an interface to mark it as valid, otherwise it ignores it. That's why its not in scapy (we use the GUID to match the npcap interface and its routes)

Thank you for looking into it

@dmiller-nmap
Copy link

Ok, I have some findings, which I came up with by comparing Windows 7 (affected) and Windows 10 (unaffected):

  • When installing the Microsoft Loopback Adapter (MSLOOP), upon which the Npcap Loopback Adapter is based, both Windows 7 and Windows 10 presented a GUID using the command you listed.
  • On both Windows 7 and 10, the MSLOOP adapter had a value of True for the PhysicalAdapter property.
  • The Npcap adapter had a value of True for PhysicalAdapter on Windows 10, but False on Windows 7.
  • The values of the NDIS additional keywords in the Npcap Loopback Adapter's Registry key (HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\<adapter id number>) are as follows:
    • Windows 10: *IfType = 0x6, *MediaType = 0x0, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0
    • Windows 7: *IfType = 0x18, *MediaType = 0x11, *NdisDeviceType = 0x1, *PhysicalMediaType = 0x0

I believe, but will have to check, that the Windows 7 values for these additional keywords are the ones we are trying to set, but that Windows 10 has reverted them to default values in every case except *NdisDeviceType (which is the most important). I'll have to do more testing and research to see if removing the other additional keywords will result in a more consistent presentation of the Adapter in all Windows versions, without introducing regressions.

dmiller-nmap pushed a commit to nmap/npcap that referenced this issue Nov 2, 2018
@bonsaiviking
Disable setting additional keywords on Loopback. See nmap/nmap#1368
f76dbe6
@dmiller-nmap
Copy link

We believe this issue was resolved in Npcap 0.99-r8 and 0.99-r9. @gpotter2 have you tried these releases, and do they solve the issue for you?

@gpotter2
Copy link
Author

gpotter2 commented Feb 8, 2019

@dmiller-nmap Looks fixed to me ! Thanks for the support

@gpotter2 gpotter2 closed this as completed Feb 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmiller-nmap @gpotter2