Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vlan-tagging is missing #171

Open
Schattenschimmer opened this issue May 21, 2020 · 3 comments
Open

vlan-tagging is missing #171

Schattenschimmer opened this issue May 21, 2020 · 3 comments

Comments

@Schattenschimmer
Copy link

It would be very good to see the packets oder frames with the vlan id if it's tagged.
It works with win10pcap, but not with npcap.

Is it possible to realize this feature?

Many thanks!
@guyharris
Copy link
Contributor

guyharris commented May 25, 2020
edited

It may be that VLAN-tagged packets might be indicated to NDIS with a NDIS_NET_BUFFER_LIST_8021Q_INFO structure, such that you have to extract data from that structure, if present, and insert the VLAN tag back into the packet after the source address in received packets.

If you're transmitting packets, you may also have to remove the VLAN tag and add that structure for devices that have the NDIS_MAC_OPTION_8021Q_VLAN flag set in the MAC options.

@Str1ker17
Copy link

Str1ker17 commented Jul 10, 2020
edited

Yes! I just installed Win10pcap over npcap and REALLY miss this feature in npcap!
@guyharris probably we can do it ourselves in collaboration. Does it look complex?

@guyharris
Copy link
Contributor

Note that this complicates packet filtering; that happens before the packet is copied to the buffer (so that we don't waste CPU time or buffer space on packets uninteresting to the person or program doing the capturing), so the VLAN tag is out-of-band data and a simple load from the mbuf chainmemory descriptor list won't fetch it.

The good news is that Linux has the exact same issue, as it can also remove VLAN tags so that they're out-of-band data that 1) needs to be handled specially by generated BPF code and 2) must be reinserted into the packet data before being handed to libpcap's caller.

For BPF, Linux's in-kernel BPF code allows some "special" packet offsets, with the uppermost bit set (so that, if interpreted as signed, they're negative) that refer to packet metadata. See the "Possible BPF extensions are shown in the following table" table in Linux Socket Filtering aka Berkeley Packet Filter (BPF). (Its BPF code translates BPF programs to eBPF programs, and the latter might be interpreted or translated to machine code, so finding the code that implements this in the Linux kernel is a bit of work, and, besides, that code is under GPLv2; see, instead, the case BPF_LD|BPF_B|BPF_ABS code in libpcap's bpf_filter.c.)

For re-inserting the VLAN tag, the Linux kernel doesn't do that - it just makes the metadata available; libpcap re-inserts the VLAN tag. For NPF, given that the driver is copying from the MDL to the buffer anyway, it might make sense to re-insert the VLAN tag in that process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@guyharris @Str1ker17 @Schattenschimmer