Npcap: pcap_sendpacket() Incompatible behavior with WinPcap

[markpizz]

We have identified a feature that works with WinPcap 4.1.3 that doesn't work with Npcap. This 'feature' or lack thereof, has to do with the host system's network stack being able to receive packets that are sent via pcap_sendpacket().

Our normal application sends Ethernet frames on a pcap connection opened on the host LAN interface. These packets with unique source MAC addresses (unique from the host's interface MAC address) make it readily on to the LAN using either WinPcap or Npcap. With WinPcap packets sent using pcap_sendpacket() to the host interface's MAC address are received by the host network stack. With Npcap these very same packets sent to the host's MAC (or broadcast address) aren't received by the host system's network stack.

An interesting observation: Using BOTH Npcap and WinPcap, Packets sent via pcap_sendpacket are visible in other concurrent pcap sessions on the same machine connected to the same interface.

I'm real sure that I confirmed that our expected functionality was working back in the 2016 timeframe when I was interacting with Yang during his development of Npcap. I may not have actually tested this since his early installers were somewhat unstable and had the potential to mess up the system's network setup. To avoid any danger to my development system, I did most of my testing in one of several VMs.

Current environment is Windows 10 1909 x64 and all recent versions of Npcap and WinPcap 4.1.3.

I'm attaching a test program that demonstrates this failure.

The test program will compile with Visual C or MinGW. It's only external dependency is an directory containing the Npcap/WinPcap pcap.h include file(s).

The test program sends Uses Source MAC Address of 2:3:4:5:6:7 and 2 types of packets once per second:

1. Packets with protocol type 0x9001 to the broadcast MAC address the payload in the packet contains a text timestamp and the PID of the sending process.

2. A ARP request packet. The ARP requests is unicast to the host system's MAC address asking for the Host Host system's IP address. The ARP request can optionally be sent to an address on the interface's LAN to consistently observe LAN interactions.

The program takes a single argument which is the name of the interface to open with pcap. If it is invoked without any arguments the list of host system interfaces is displayed. An alternate address to request an ARP response from can be specified by invoking the program with -arp {lan-system-ip-address} as command line arguments.

A thread is created to listen for traffic. Traffic is listening with a capture filter of "ether host 2:3:4:5:6:7". This will capture all traffic this program generates as well as any ARP responses. If another instance of this program is run concurrently, it will send the same messages differing only by the payload PID in the 0x9001 packets. Received packets are displayed as they arrive.

If WinPcap is installed (without Npcap), the output will include ARP reply packets that the host system's network stack generates. If Npcap is installed, only the transmitted packets will be returned. No ARP responses from the host system's network stack.

Example Output:

ARP of a system on the LAN that interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe -arp 192.168.60.6 \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: Npcap version 0.9987, based on libpcap version 1.9.1
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 21136
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 21136 at 02/18/20 15:11:47
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 21136 at 02/18/20 15:11:48
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
^C

ARP of a the host system's IP address using interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe  \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: Npcap version 0.9987, based on libpcap version 1.9.1
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 252
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:19
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:20
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:21
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:22
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
^C

Uninstall Npcap and install WinPcap and run the same tests:

ARP of a system on the LAN that interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe -arp 192.168.60.6 \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 16608
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:38
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:39
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:40
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:41
^C

ARP of a the host system's IP address using interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe  \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 10296
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 10296 at 02/18/20 15:19:29
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
42 byte packet received -DST: 02:03:04:05:06:07 - SRC: 2C:FD:A1:BF:53:97 - Proto: 0806 - ARP
Message: ARP Reply sha-2C:FD:A1:BF:53:97 spa-192.168.60.46 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 10296 at 02/18/20 15:19:30
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
42 byte packet received -DST: 02:03:04:05:06:07 - SRC: 2C:FD:A1:BF:53:97 - Proto: 0806 - ARP
Message: ARP Reply sha-2C:FD:A1:BF:53:97 spa-192.168.60.46 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 10296 at 02/18/20 15:19:31
^C

NpcapTest.zip

[dmiller-nmap]

Thanks for this very detailed report. We are tracking this issue at #116, so I am closing this as a duplicate. Please note the workaround there of using the SendToRx feature. We are working on a solution to this issue as well.

[dmiller-nmap]

Npcap 0.9990, released on Friday, should correct this behavior. We recommend that code relying on loopback of injected packets explicitly call PacketSetLoopbackBehavior(NPF_ENABLE_LOOPBACK) in case the default should change in a future release.

EDIT: The constant is NPF_ENABLE_LOOPBACK, not PACKET_ENABLE_LOOPBACK as I had written earlier. Sorry for the confusion.