Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues identifying and capturing on VPN interface #1549

Open
youngbob opened this Issue Apr 10, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@youngbob
Copy link

youngbob commented Apr 10, 2019

Using:

  • Windows 10 (in a VM)
  • Npcap 0.992 (loopback adapter not installed)
  • Nmap 7.70
  • Wireshark 3.0.1
  • Custom code using WinPcap/Npcap

I have a VPN interface that I am attempting to capture and send traffic on. Under WinPcap, the interface did not appear in Wireshark. Under Npcap, Wireshark shows 3 additional interfaces, none of which are named like my VPN interface, and do not show IP addresses associated with them. However, one of the interface shows activity when there is VPN activity, and capturing on that interface (no filter) captures outgoing packets...but blocks incoming packets. They are not captured and not received by the OS. Stopping the capture allows for the connection to resume normally. Capturing on either of the other two interfaces results in a successful capture.

My own custom code bails out early because it can't find an IP address for the three interfaces. I'm attempting to get things working in Wireshark and Nmap first, as it seems to be an Npcap issue.


(some minor details changed/redacted in output)

ipconfig /all output:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : localdomain

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-04-1C-ED
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::389f:d68c:a839:a336%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.148.190(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, April 10, 2019 11:07:09 AM
   Lease Expires . . . . . . . . . . : Wednesday, April 10, 2019 11:52:08 AM
   Default Gateway . . . . . . . . . : 192.168.148.2
   DHCP Server . . . . . . . . . . . : 192.168.148.254
   DHCPv6 IAID . . . . . . . . . . . : 33557545
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-5A-6C-30-00-0C-29-04-1C-ED
   DNS Servers . . . . . . . . . . . : 192.168.148.2
   Primary WINS Server . . . . . . . : 192.168.148.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter My VPN Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : My VPN Adapter
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 00-50-56-E0-BF-BC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

nmap --iflist output:

************************INTERFACES************************
DEV  (SHORT) IP/MASK                      TYPE     UP   MTU  MAC
eth0 (eth0)  fe80::389f:d68c:a839:a336/64 ethernet up   1500 00:0C:29:04:1C:ED
eth0 (eth0)  192.168.148.190/24           ethernet up   1500 00:0C:29:04:1C:ED
ppp0 (ppp0)  10.0.0.100/32                other    up   1400
eth1 (eth1)  fe80::b8e8:d9ee:35a3:8704/64 ethernet down 1500 00:50:56:E0:BF:BC
eth1 (eth1)  169.254.135.4/16             ethernet down 1500 00:50:56:E0:BF:BC
lo0  (lo0)   ::1/128                      loopback up   -1
lo0  (lo0)   127.0.0.1/8                  loopback up   -1

DEV    WINDEVICE
eth0   \Device\NPF_{02043403-5DE1-4A16-A84A-AEE928343A8B}
eth0   \Device\NPF_{02043403-5DE1-4A16-A84A-AEE928343A8B}
ppp0   <none>
eth1   \Device\NPF_{BB098094-9BC4-4055-BEFD-83DB9863CBF8}
eth1   \Device\NPF_{BB098094-9BC4-4055-BEFD-83DB9863CBF8}
lo0    <none>
lo0    <none>
<none> \Device\NPF_{5286309D-E680-4FD0-A549-89FF9F358BC8}
<none> \Device\NPF_{A6281E13-93DA-4FA1-BF03-D8A291DA867A}
<none> \Device\NPF_{0CC93113-A40C-4057-BE8C-32FD27A6A67B}

The interface appearing as ppp0 is the VPN adapter I'm interested in. It is not associated with a WINDEVICE, and there are three WINDEVICEs that do not have an interface. The three WINDEVICE names are the three new adapters that appear in Wireshark:

Screen Shot 2019-04-10 at 11 49 43 AM

These "Local Area Connection" adapters do not appear to exist in Windows' list of network interfaces. "Local Area Connection 6" is the adapter that shows VPN activity, and can capture outgoing packets (but blocks incoming, as mentioned above). Capturing on "Local Area Connection 7" or "8" results in a successful capture without blocking anything, though they do not show any activity/stats in Wireshark's list of interfaces.

nmap 10.0.0.50 output:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 11:48 Eastern Daylight Time
Only ethernet devices can be used for raw scans on Windows, and
"ppp0" is not an ethernet device. Use the --unprivileged option
for this scan.
QUITTING!

It seems like this might actually work if nmap was able to associate ppp0 with a valid pcap device name. I haven't tried sending packets on one of these interfaces yet, though, only capturing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.