Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap: pcap_findalldevs is very slow #1551

Open
dmiller-nmap opened this Issue Apr 11, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@dmiller-nmap
Copy link

dmiller-nmap commented Apr 11, 2019

Users are complaining about Wireshark taking a long time to populate the list of adapters, even going so far as to suggest turning off Npcap when using Wireshark for reading pcap files. This shouldn't take so long.

The most promising idea so far is: Don't try to open each adapter as it is found (PacketOpenAdapter) in order to determine if it is supported. Packet API docs (unpublished) indicate that PacketGetAdapterNames is supposed to only return supported adapters, but I don't know if anything relies on that. Need to check libpcap to see, since that's the primary consumer of that API.

@guyharris

This comment has been minimized.

Copy link

guyharris commented Apr 18, 2019

There was a time when libpcap itself tried to open interfaces when enumerating them; this was done because, on Solaris, not all devices provided by the SIOCGLIFCONF ioctl supported being opened as DLPI devices, so, while the loopback device was listed as a network interface with addresses, you couldn't capture on it.

I changed libpcap to make the "is this a usable device?" check platform-specific. It still has to do some of the open process platforms where not all devices supplied by the enumerate-interfaces mechanism support the platform's capture mechanism, but:

  • that doesn't do quite as much work;
  • we don't treat "you don't have permission" as meaning "you can't capture on this" (so the user won't be asking "why are there no interfaces?" if they don't have permission, they'll see the interfaces and get told "you don't have permission" so they can ask about that).

Currently, pcap-npf.c doesn't do any checks to see whether the devices returned by PacketGetAdapterNames() are devices on which it can capture, so libpcap, in WinPcap/Npcap, does, in fact, rely on PacketGetAdapterNames() returning only supported adapters. If the NPF driver only puts supported adapters into the Registry, there's presumably no need to try to open the device to see if it's supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.