NMap iflist returns WINDEVICE <None> for a Virtual Wireguard Interface

[TomisderMeister]

Hello everyone,
I faced a problem regarding a missing/inaccessible adapter with Wireshark/Scapy created by Wireguard.
nmap --iflist returning:

eth0 is the Virtual Adapter from Wireguard. The adapter working correctly, but I am unable to sniff data with npcap/scapy/Wirteshark.
NMap -> 7.80
Scapy -> 2.4.3
Wireshark -> 3.2.4
Wireguard -> 0.1.0
NPcap -> 0.9991

Diag Report:
DiagReport-20200524-155041.txt

I tried mutliple releases and the bug is reproducable on a second device.
I would be really glad if you could help regarding this problem.

[guyharris]

So the only occurrences of "WireGuard" in the Diag Report are in:

*************************************************
Network Adapter(s) Info:
*************************************************

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet                  Realtek PCIe GbE Family Controller           14 Up           50-46-5D-8D-83-71         1 Gbps
TobiTunnel                WireGuard Tunnel                              7 Up                                   100 Gbps

Caption         : [00000002] Realtek PCIe GbE Family Controller
GUID            : {98D2E49D-710A-48FF-ABDC-89BA36048B9F} = eth1
Index           : 2
InterfaceIndex  : 14
Manufacturer    : Realtek
NetConnectionID : Ethernet
PNPDeviceID     : PCI\VEN_10EC&DEV_8168&SUBSYS_85051043&REV_09\4&21A1C3AE&0&00E5

Caption         : [00000012] Wintun Userspace Tunnel
GUID            : {3B758425-0C12-5B9B-708D-C6F0A39B222C}
Index           : 12
InterfaceIndex  : 7
Manufacturer    : WireGuard LLC
NetConnectionID : TobiTunnel
PNPDeviceID     : ROOT\NET\0000

Can you try to capture with TShark (tshark.exe should be in the same directory as Wireshark.exe), passing it the command-line argument -i \Device\NPF_{3B758425-0C12-5B9B-708D-C6F0A39B222C} ?

What does the command ipconfig/all print?

[per-allansson]

I have the same problem, attached info.

C:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}
Capturing on '\Device\NPF_{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}'
tshark: The capture session could not be initiated on interface '\Device\NPF_{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}' (No such device exists).
Please check that you have the proper interface or pipe specified.

DiagReport-20200715-102840.txt
ipconfig.txt

[guyharris]

The device in question appears in the DiagReport:

Caption             : [00000000] Wintun Userspace Tunnel
GUID                : {3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}
Index               : 0
InterfaceIndex      : 6
Manufacturer        : WireGuard LLC
MACAddress          : 
Speed               : 100000000000
NetConnectionID     : AppGateSDP
NetConnectionStatus : 2
PNPDeviceID         : ROOT\NET\0000
ServiceName         : wintun
AdapterType         : 

but does not appear in the ipconfig/all output.

The Hyper-V virtual adapter appears in both:

Caption             : [00000003] Hyper-V Virtual Ethernet Adapter
GUID                : {1ED37246-AA38-47E3-9D32-8D89AD4D054E}
Index               : 3
InterfaceIndex      : 29
Manufacturer        : Microsoft
MACAddress          : 00:15:5D:BB:38:A1
Speed               : 10000000000
NetConnectionID     : vEthernet (Default Switch)
NetConnectionStatus : 2
PNPDeviceID         : ROOT\VMS_MP\0000
ServiceName         : VMSNPXYMP
AdapterType         : Ethernet 802.3

and

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-BB-38-A1
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7547:886:90f6:53c6%29(Preferred) 
   IPv4 Address. . . . . . . . . . . : 172.19.128.1(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : 486544733
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-62-76-D9-90-1B-0E-4E-3B-EF
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

[per-allansson]

Well I change the description in my code when setting up the device, so the device you are looking for is the one with in diag txt "NetConnectionID : AppGateSDP" - which matches the "Unknown adapter AppGateSDP" in ipconfig. Apart from that description change the setup code is the same that the normal Wireguard client uses.

[guyharris]

Well I change the description in my code when setting up the device, so the device you are looking for is the one with in diag txt "NetConnectionID : AppGateSDP"

Yes. that's the entry I mentioned.

• which matches the "Unknown adapter AppGateSDP" in ipconfig. Apart from that description change the setup code is the same that the normal Wireguard client uses.

OK, so that's

Unknown adapter AppGateSDP:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : AppGate SDP VPN Tunnel
   Physical Address. . . . . . . . . : 
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd00:ffff:b:20::714(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.100.172(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 172.17.40.65
                                       172.17.40.66
                                       172.17.40.9
  NetBIOS over Tcpip. . . . . . . . : Enabled

So what's the difference between the two?

[per-allansson]

Sorry don't follow - difference between the two what?

[guyharris]

The difference between the AppGate SDP VPN Tunnel/Wintun Userspace Tunnel device and the Hyper-V Virtual Ethernet Adapter device.

If capturing on the latter doesn't work, there may not be a difference. If capturing on the latter does work, then the first one gets ERROR_BAD_UNIT back from an attempt to open it, the second one doesn't, so why?

That means that either:

• PacketFindAdInfo() returns NULL for the device;
• the Flags field of what PacketFindAdInfo() found has a bogus type (either not an NPF device or has the "not exported" flag set.

"Not exported" appears to happen only for FireWire devices, which the device almost certainly isn't. Perhaps there is no entry for it in the Registry, or the open attempt on it failed for some reason while constructing the list of devices?

[per-allansson]

Ah. Capturing on the the Hyper-V Virtual Ethernet Adapter is fine, at least wireshark/tshark/etc finds and connects fine to it.

Yeah, so maybe there is something funny going on in how the Wintun device gets registered / set up - that's more than I know - I only reuse the WG code for setting it up.

[per-allansson]

These are the logs for testing directly with the official WireGuard client - I attached the WG profile I used as well (dummy keys ofc) - you could test this by yourself by just installing the WireGuard client and giving it that profile and activate it - there is no need for an actual WG server - the Wintun device gets set up anyway.

You can find the WG client here: https://www.wireguard.com/install/

tshark.txt
DiagReport-20200715-110019.txt
ipconfig.txt
W10.conf.txt

[timg11]

I have a similar issue on Windows 10.
nmap --iflist and Wireshark using npcap 0.9995 are unable to detect the Wireguard interface created by Mozilla VPN.
I posted details on Stackoverflow

DiagReport-20200801-093901.txt

[per-allansson]

So I started to see if I could figure out something more and found the iflist example in the npcap source code - it also fails to list the Wintun Virtual NIC as expected, but together with a debug version of packet.lib/dll I could at least get out some more logs that might shed some more light for those more familiar with the inner workings of npcap.

So the diagreport on this machine shows the Wintun NIC nic:

Caption             : [00000013] Wintun Userspace Tunnel
GUID                : {3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}
Index               : 13
InterfaceIndex      : 9
Manufacturer        : WireGuard LLC
MACAddress          : 
Speed               : 100000000000
NetConnectionID     : AppgateSDP
NetConnectionStatus : 2
PNPDeviceID         : ROOT\NET\0000
ServiceName         : wintun
AdapterType         : 

while the Packet.log shows this when it tries to grab hold of the device npcap path thing:

[00005D88] 2020-09-08 18:03:29     14) Successfully retrieved info for adapter \Device\NPCAP\{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}, trying to add it to the global list...
[00005D88] 2020-09-08 18:03:29 --> PacketAddAdapterNPF
[00005D88] 2020-09-08 18:03:29     Trying to add adapter \Device\NPCAP\{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}
[00005D88] 2020-09-08 18:03:29     Trying to open the NPF adapter and see if it's available...
[00005D88] 2020-09-08 18:03:29 --> PacketOpenAdapterNPF
[00005D88] 2020-09-08 18:03:29     Trying to open adapter \Device\NPCAP\{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}
[00005D88] 2020-09-08 18:03:29 --> PacketStartService
[00005D88] 2020-09-08 18:03:29     PacketStartService: Already tried once.
[00005D88] 2020-09-08 18:03:29 <-- PacketStartService
[00005D88] 2020-09-08 18:03:29 --> NpcapIsAdminOnlyMode
[00005D88] 2020-09-08 18:03:29 <-- NpcapIsAdminOnlyMode
[00005D88] 2020-09-08 18:03:29     SymbolicLinkA = \\.\Global\NPCAP\{3F2E7B29-EE1D-4BAF-9572-5546CBED90F1}, lpAdapter->hFile = ffffffff
[00005D88] 2020-09-08 18:03:29     PacketOpenAdapterNPF: CreateFile failed, LastError= 8034002b
[00005D88] 2020-09-08 18:03:29 <-- PacketOpenAdapterNPF
[00005D88] 2020-09-08 18:03:29     NPF Adapter not available, do not add it to the global list
[00005D88] 2020-09-08 18:03:29 <-- PacketAddAdapterNPF
[00005D88] 2020-09-08 18:03:29 --> IsFireWire
[00005D88] 2020-09-08 18:03:29 <-- IsFireWire

The adapter properties for the Wintun adapter does show the "Npcap Packet Driver (NPCAP)" and "Npcap Packet Driver (NPCAP) (Wi-Fi)" as enabled.

Using npcap 0.9997 - and the debug build of packet.lib/dll built from latest git sources when running the iflist.exe

[fghzxm]

Is there any easy way we can talk to the WireGuard people about this problem? They don't use GitHub issues, and the WireGuard mailing list doesn't look particularly hospitable.

[zx2c4]

Hi, Wintun developer here. I noticed the same issue a few weeks ago actually. I assume that npcap only binds to ethernet interfaces and doesn't know about layer 3 interfaces on Windows. Wintun uses these specification in its inf:

Characteristics = 0x1 ; NCF_VIRTUAL
*IfType = 53 ; IF_TYPE_PROP_VIRTUAL
*MediaType = 19 ; NdisMediumIP
*PhysicalMediaType = 0 ; NdisPhysicalMediumUnspecified

I assume that npcap doesn't know about either IF_TYPE_PROP_VIRTUAL or NdisMediumIP or both.

Looking at npcap's inf, we see this:

HKR, Ndi\Interfaces,UpperRange, , noupper
HKR, Ndi\Interfaces,LowerRange, , "ndis5,ndis4"
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"

This suggests that it's left out whatever is needed to match on Wintun. I don't know if NdisMediumIP corresponds to adding , ip to that list, or some other string.

[stvitaly]

Now when WinTun is a part of OpenVPN 2.5 installation this became much more important to support WinTun in npcap.
Is there any intention to change something here or in WinTun in the near future, so this pair would work?

[zx2c4]

to change something here or in WinTun in the near future, so this pair would work

This appears to be a npcap issue, rather than a Wintun one.