Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap loopback adapter installed as Type=Ethernet #1585

Open
gghart opened this issue May 6, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@gghart
Copy link

commented May 6, 2019

When we upgraded Wireshark from 2.x to 3.x and switched to Npcap, we noticed that some of our networking code was having issues, which seems to be related to Npcap setting the incorrect interface type in Windows.

In C#, we search for valid adapters with this code:

// Eliminate on a few other conditions too
foreach (var ni in NetworkInterface.GetAllNetworkInterfaces())
{
// Bad states
if (ni.OperationalStatus != OperationalStatus.Up)
{
EventLogging.LogEvent(Severity.Info, "Skipping interface " + ni.Name + " since it is not up (State=" + ni.OperationalStatus + ")");
continue;
}

            if (ni.NetworkInterfaceType == NetworkInterfaceType.Loopback))
            {
                EventLogging.LogEvent(Severity.Info, "Skipping interface " + ni.Name + " since it is a loopback");
                continue;
            }

            return true;
        }

This does not work with Npcap interfaces because the type is set to Ethernet, not Loopback:

{System.Net.NetworkInformation.SystemNetworkInterface}
Description: "Npcap Loopback Adapter"
Id: "{94E3ED9F-6A53-4FBB-A93E-DB6BC2DB7120}"
IsReceiveOnly: false
Name: "Npcap Loopback Adapter"
NetworkInterfaceType: Ethernet <-----
OperationalStatus: Up
Speed: 1215752192
SupportsMulticast: true

Winpcap set NetworkInterfaceType = NetworkInterfaceType.Loopback, which seems to make sense given the description, but Npcap is using NetworkInterfaceType.Ethernet, which does not seem appropriate.

Please confirm,

Thanks,

Geoff

@guyharris

This comment has been minimized.

Copy link

commented May 6, 2019

Winpcap set NetworkInterfaceType = NetworkInterfaceType.Loopback,

No, it didn't - there is no loopback device with WinPcap. There's a reason why the device is called the "Npcap Loopback Adapter"; if you had an Npcap Loopback Adapter with Wireshark 2.x, it's because somebody installed Npcap on your machine, and you may have had an older version than the one the installer for which is bundled with Wireshark 3.0.

Note that Wireshark 3.0.1, not 3.0, is the current version, and it is bundled with an installer for Npcap 0.992; you currently have Wireshark 3.0.0, with Npcap 0.99-r9, installed, according to the version information in your Wireshark bug report. You might want to try updating to 3.0.1.

which seems to make sense given the description, but Npcap is using NetworkInterfaceType.Ethernet, which does not seem appropriate.

I'm not sure how .NET creates the NetworkInterfaceType value for an interface - the NDIS medium types don't match with the NetworkInterfaceTypes - but there is an NdisMediumLoopback NDIS medium type.

The Npcap Loopback Adapter, when Yang Luo was developing it, originally, as I remember, offered fake Ethernet headers (which is not unprecedented - that's what Linux does); I may have suggested going with the BSD DLT_NULL header, which obviates the need to fake a source or destination address, but does mean that packets other than IPv4 or IPv6 packets may not have their packet types representable. I don't remember whether he ended up going with the DLT_NULL header only, or with a configuration option to control which header to use. If it's a configuration option, how does that get set?

@dmiller-nmap

This comment has been minimized.

Copy link

commented May 6, 2019

The Npcap Loopback Adapter is pretty much a vanilla/unmodified installation of the Microsoft KM-TEST Loopback Adapter, so it inherits all these values from there. We do make one change, marking the adapter as an endpoint adapter and not a network adapter (See #653), but when we tried to set other values like Physical Medium, there were inconsistencies in how those were treated in the different versions of Windows. Some would overwrite our settings, others would pause network connectivity, etc.

@gghart

This comment has been minimized.

Copy link
Author

commented May 6, 2019

@guyharris
You're definitely right about Wireshark 2.x; that loopback adapter is from someone else - which we only found when we rebuilt a test machine from scratch. Getting ridding of WinPcap was awesome though, that fixes some serious side-effects!!

The first reports we got of issues with our app were when people installed Wireshark 3.x and got the Npcap Loopback adapter from there. We have tested against 3.0 and 3.0.1 with both versions of Npcap and they behave the same.

It's not a particularly serious problem, but it is kind of a weird one to see it reported as Ethernet instead of Loopback in C#.

For now, we've just changed our code to ignore Type loopback or name contains loopback. You can feel free to address it or ignore it; just reported it as it seems odd to us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.