Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scanning network from Wireguard tunnel results in "expression rejects all packets" yet local network scan works without issue #640

Open
bigretromike opened this issue Oct 8, 2022 · 8 comments

Comments

@bigretromike
Copy link

bigretromike commented Oct 8, 2022

Describe the bug
I'm trying to scan network that is on the other side of wireguard tunnel. That will results in: Error compiling our pcap filter: expression rejects all packets. Scaning with same setup my local network is working correct.

To Reproduce
Steps to reproduce the behavior:

  1. Install WireGuard on Windows
  2. Connect wireguard with wireguard server and allow only ip from that network and wireguard interface ex. 192.168.200.0/24
  3. nmap 192.168.200.1
  4. Get error Error compiling our pcap filter: expression rejects all packets.

Expected behavior
I should be able to scan host on other side of Wireguard tunnel

Diagnostic information

  • windows 11 pro 22621
*************************************************
DiagReport for Npcap ( https://npcap.com )
*************************************************
Script Architecture:		64-bit
Script Path:			C:\Program Files\Npcap\DiagReport.ps1
Current Time:			10/09/2022 00:34:59
Npcap install path:		C:\Program Files\Npcap
Npcap Version:			1.71
PowerShell Version:		5.1.22621.608


*************************************************
OS Info:
*************************************************


Caption                 : Microsoft Windows 11 Pro
BuildNumber             : 22621
Locale                  : 0415
MUILanguages            : {pl-PL}
OSArchitecture          : 64-bitowy
ServicePackMajorVersion : 0
ServicePackMinorVersion : 0
SystemDirectory         : C:\WINDOWS\system32
Version                 : 10.0.22621





*************************************************
CPU Info:
*************************************************


Name                      : Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz
Manufacturer              : GenuineIntel
DeviceID                  : CPU0
NumberOfCores             : 4
NumberOfEnabledCore       : 4
NumberOfLogicalProcessors : 4
Addresswidth              : 64





*************************************************
Memory Info:
*************************************************
Size:				16328 MB (17121157120 Bytes)


*************************************************
Network Adapter(s) Info:
*************************************************


Caption             : [00000001] Realtek PCIe GbE Family Controller
GUID                : {8A0D060B-B2AC-4F17-8825-39AD4B290058}
Index               : 1
InterfaceIndex      : 14
Manufacturer        : Realtek
MACAddress          : D4:3D:7E:D7:12:A9
Speed               : 1000000000
NetConnectionID     : Ethernet 2
NetConnectionStatus : 2
PNPDeviceID         : PCI\VEN_10EC&DEV_8168&SUBSYS_78511462&REV_0C\4&27483E63&0&00E2
ServiceName         : rt640x64
AdapterType         : Ethernet 802.3

Caption             : [00000002] VirtualBox Host-Only Ethernet Adapter
GUID                : {9D3030CA-93D1-4788-A1B4-F0F1A0841F51}
Index               : 2
InterfaceIndex      : 16
Manufacturer        : Oracle Corporation
MACAddress          : 0A:00:27:00:00:10
Speed               : 1000000000
NetConnectionID     : VirtualBox Host-Only Network
NetConnectionStatus : 2
PNPDeviceID         : ROOT\NET\0000
ServiceName         : VBoxNetAdp
AdapterType         : Ethernet 802.3

Caption             : [00000003] LogMeIn Hamachi Virtual Ethernet Adapter
GUID                : {3D02AAFD-8417-4D65-813F-6B347290BEC8}
Index               : 3
InterfaceIndex      : 8
Manufacturer        : LogMeIn Inc.
MACAddress          : 
Speed               : 
NetConnectionID     : Hamachi
NetConnectionStatus : 4
PNPDeviceID         : ROOT\NET\0001
ServiceName         : Hamachi
AdapterType         : 

Caption             : [00000004] Realtek PCIe GbE Family Controller
GUID                : {E1B39525-36AE-4B42-A340-6B79AAFB2AB7}
Index               : 4
InterfaceIndex      : 20
Manufacturer        : Realtek
MACAddress          : D4:3D:7E:D7:12:A8
Speed               : 9223372036854775807
NetConnectionID     : Ethernet
NetConnectionStatus : 7
PNPDeviceID         : PCI\VEN_10EC&DEV_8168&SUBSYS_78511462&REV_0C\4&17B0DE03&0&00E3
ServiceName         : rt640x64
AdapterType         : Ethernet 802.3

Caption             : [00000005] Intel(R) Centrino(R) Wireless-N 2230
GUID                : {046D88C9-EAB1-4315-805A-E0FCA2CCFDB4}
Index               : 5
InterfaceIndex      : 2
Manufacturer        : Intel Corporation
MACAddress          : 68:17:29:41:18:83
Speed               : 9223372036854775807
NetConnectionID     : Wi-Fi
NetConnectionStatus : 7
PNPDeviceID         : PCI\VEN_8086&DEV_0887&SUBSYS_40628086&REV_C4\4&33814C64&0&00E4
ServiceName         : NETwNe64
AdapterType         : Ethernet 802.3

Caption             : [00000017] WireGuard Tunnel
GUID                : {0B55DCEC-2AB9-BD10-80FF-D7A77973D76B}
Index               : 17
InterfaceIndex      : 58
Manufacturer        : WireGuard LLC
MACAddress          : 
Speed               : 100000000000
NetConnectionID     : DataCenter01
NetConnectionStatus : 2
PNPDeviceID         : SWD\WIREGUARD\{0B55DCEC-2AB9-BD10-80FF-D7A77973D76B}
ServiceName         : WireGuard
AdapterType         : 





*************************************************
NDIS Light-Weight Filter (LWF) Info:
*************************************************
HKLM:\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\*:


InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262144
ComponentId      : ms_bridge
Description      : @%SystemRoot%\system32\bridgeres.dll,-2
InfPath          : netbrdg.inf
InfSection       : Install
LocDescription   : @%SystemRoot%\system32\bridgeres.dll,-2

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262184
ComponentId      : ms_wfplwf_lower
Description      : @%windir%\System32\drivers\wfplwfs.sys,-6006
InfPath          : wfplwfs.inf
InfSection       : WfpLwf_Lower_Install
LocDescription   : @%windir%\System32\drivers\wfplwfs.sys,-6006

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 40
ComponentId      : ms_netbios
Description      : @%windir%\system32\drivers\netbios.sys,-501
InfPath          : netnb.inf
InfSection       : NetBIOS.ndi
LocDescription   : @%windir%\system32\drivers\netbios.sys,-501

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262200
ComponentId      : ms_ndiscap
Description      : @%windir%\System32\drivers\ndiscap.sys,-5000
InfPath          : ndiscap.inf
InfSection       : Install
LocDescription   : @%windir%\System32\drivers\ndiscap.sys,-5000

InstallTimeStamp : {221, 7, 12, 0...}
ComponentId      : ms_server
Description      : @%systemroot%\system32\srvsvc.dll,-109
InfPath          : Netserv.inf
InfSection       : Install.ndi
LocDescription   : @%systemroot%\system32\srvsvc.dll,-109

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262144
ComponentId      : vms_vsf
Description      : @%windir%\System32\drivers\vmswitch.sys,-60005
InfPath          : wvms_vsft.inf
InfSection       : VMSVSF.ndi
LocDescription   : @%windir%\System32\drivers\vmswitch.sys,-60005

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262184
ComponentId      : ms_vwifi
Description      : @%windir%\System32\drivers\vwififlt.sys,-105
InfPath          : netvwififlt.inf
InfSection       : Install
LocDescription   : @%windir%\System32\drivers\vwififlt.sys,-105

InstallTimeStamp : {230, 7, 9, 0...}
Characteristics  : 262144
ComponentId      : oracle_VBoxNetLwf
Description      : @oem15.inf,%vboxnetlwf_desc%;VirtualBox NDIS6 Bridged Networking Driver
InfPath          : oem15.inf
InfSection       : VBoxNetLwf.ndi
LocDescription   : @oem15.inf,%vboxnetlwf_desc%;VirtualBox NDIS6 Bridged Networking Driver

InstallTimeStamp : {230, 7, 10, 0...}
Characteristics  : 262144
ComponentId      : insecure_npcap
Description      : @oem32.inf,%npf_desc_standard%;Npcap Packet Driver (NPCAP)
InfPath          : oem32.inf
InfSection       : FilterStandard
LocDescription   : @oem32.inf,%npf_desc_standard%;Npcap Packet Driver (NPCAP)

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262144
ComponentId      : ms_pacer
Description      : @%windir%\System32\drivers\pacer.sys,-101
InfPath          : netpacer.inf
InfSection       : Install
LocDescription   : @%windir%\System32\drivers\pacer.sys,-101

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262184
ComponentId      : ms_wfplwf_upper
Description      : @%windir%\System32\drivers\wfplwfs.sys,-6005
InfPath          : wfplwfs.inf
InfSection       : WfpLwf_Upper_Install
LocDescription   : @%windir%\System32\drivers\wfplwfs.sys,-6005

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262184
ComponentId      : ms_nativewifip
Description      : @%windir%\System32\drivers\nwifi.sys,-101
InfPath          : netnwifi.inf
InfSection       : MS_NWIFI.Install
LocDescription   : @%windir%\System32\drivers\nwifi.sys,-101

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262144
ComponentId      : ms_wfplwf_vswitch
Description      : @%windir%\System32\drivers\wfplwfs.sys,-6004
InfPath          : wfplwfs.inf
InfSection       : WfpLwf_vSwitch_Install
LocDescription   : @%windir%\System32\drivers\wfplwfs.sys,-6004

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262144
ComponentId      : ms_l2bridge
Description      : @%SystemRoot%\System32\drivers\l2bridge.sys,-5000
InfPath          : l2bridge.inf
InfSection       : Install
LocDescription   : @%SystemRoot%\System32\drivers\l2bridge.sys,-5000

InstallTimeStamp : {221, 7, 12, 0...}
Characteristics  : 262184
ComponentId      : ms_winvfp
Description      : Microsoft Azure VFP Switch Filter Extension
InfPath          : vfpfilter.inf
InfSection       : Install
LocDescription   : Microsoft Azure VFP Switch Filter Extension




Name                           DisplayName                                        ComponentID          Enabled     
----                           -----------                                        -----------          -------     
Ethernet                       Npcap Packet Driver (NPCAP)                        insecure_npcap       True        
VirtualBox Host-Only Network   Npcap Packet Driver (NPCAP)                        insecure_npcap       True        
Ethernet 2                     Npcap Packet Driver (NPCAP)                        insecure_npcap       True        
Hamachi                        Npcap Packet Driver (NPCAP)                        insecure_npcap       True        
DataCenter01                   Npcap Packet Driver (NPCAP)                        insecure_npcap       True        
Wi-Fi                          Npcap Packet Driver (NPCAP)                        insecure_npcap       True        


*************************************************
File Info:
*************************************************

LastWriteTime : 18.08.2022 19:49:28
Length        : 815
Name          : CheckStatus.bat


LastWriteTime : 09.10.2022 00:34:58
Length        : 0
Name          : DiagReport-20221009-003458.txt


LastWriteTime : 18.08.2022 19:49:28
Length        : 1042
Name          : DiagReport.bat


LastWriteTime : 18.08.2022 19:49:28
Length        : 18078
Name          : DiagReport.ps1


LastWriteTime : 18.08.2022 19:49:28
Length        : 2513
Name          : FixInstall.bat


LastWriteTime : 09.10.2022 00:19:54
Length        : 35382
Name          : install.log


LastWriteTime : 18.08.2022 19:49:28
Length        : 11547
Name          : LICENSE


LastWriteTime : 19.08.2022 21:59:06
Length        : 12707
Name          : npcap.cat


LastWriteTime : 19.08.2022 21:59:06
Length        : 8844
Name          : npcap.inf


LastWriteTime : 19.08.2022 21:59:06
Length        : 77336
Name          : npcap.sys


LastWriteTime : 19.08.2022 21:59:06
Length        : 2433
Name          : npcap_wfp.inf


LastWriteTime : 19.08.2022 21:09:18
Length        : 308176
Name          : NPFInstall.exe


LastWriteTime : 09.10.2022 00:19:36
Length        : 55015
Name          : NPFInstall.log


LastWriteTime : 19.08.2022 22:00:14
Length        : 1081352
Name          : Uninstall.exe


Path          : C:\Program Files\Npcap\npcap.cat
Status        : Valid
StatusMessage : Signature verified.
Thumbprint    : 451B7F8A4C0E669189E9382A09E423C2B875AD42


Path          : C:\Program Files\Npcap\npcap.inf
Status        : Valid
StatusMessage : Signature verified.
Thumbprint    : 451B7F8A4C0E669189E9382A09E423C2B875AD42


Path          : C:\Program Files\Npcap\npcap.sys
Status        : Valid
StatusMessage : Signature verified.
Thumbprint    : 451B7F8A4C0E669189E9382A09E423C2B875AD42


Path          : C:\Program Files\Npcap\NPFInstall.exe
Status        : Valid
StatusMessage : Signature verified.
Thumbprint    : 3C0D087ECDCC76D1084ABE00F1FEE5040400AE37


Path          : C:\Program Files\Npcap\Uninstall.exe
Status        : Valid
StatusMessage : Signature verified.
Thumbprint    : 3C0D087ECDCC76D1084ABE00F1FEE5040400AE37


LastWriteTime : 19.08.2022 21:09:20
Length        : 156624
Name          : NpcapHelper.exe


LastWriteTime : 19.08.2022 21:09:18
Length        : 219600
Name          : Packet.dll


LastWriteTime : 19.08.2022 21:09:20
Length        : 266704
Name          : WlanHelper.exe


LastWriteTime : 19.08.2022 21:09:20
Length        : 489424
Name          : wpcap.dll


LastWriteTime : 19.08.2022 21:09:20
Length        : 156624
Name          : NpcapHelper.exe


LastWriteTime : 19.08.2022 21:09:18
Length        : 219600
Name          : Packet.dll


LastWriteTime : 19.08.2022 21:09:20
Length        : 266704
Name          : WlanHelper.exe


LastWriteTime : 19.08.2022 21:09:20
Length        : 489424
Name          : wpcap.dll



*************************************************
WinPcap Info:
*************************************************
HKLM:\SOFTWARE\WOW6432Node\WinPcap:
Not present.


*************************************************
Registry Info:
*************************************************
HKLM:\SOFTWARE\WOW6432Node\Npcap:


AdminOnly         : 0
WinPcapCompatible : 1
(default)         : C:\Program Files\Npcap



HKLM:\SYSTEM\CurrentControlSet\Services\npcap:


Type               : 1
Start              : 1
ErrorControl       : 1
Tag                : 32
ImagePath          : \SystemRoot\system32\DRIVERS\npcap.sys
DisplayName        : @oem32.inf,%NPF_Desc_Standard%;Npcap Packet Driver (NPCAP)
Group              : NDIS
Description        : @oem32.inf,%NPF_Desc_Standard%;Npcap Packet Driver (NPCAP)
NdisMajorVersion   : 6
NdisMinorVersion   : 50
DriverMajorVersion : 1
DriverMinorVersion : 71



HKLM:\SYSTEM\CurrentControlSet\Services\npcap\Parameters:


LoopbackSupport              : 1
DltNull                      : 1
Edition                      : Npcap
AdminOnly                    : 0
Dot11Support                 : 0
NdisImPlatformBindingOptions : 2
DefaultFilterSettings        : 1
VlanSupport                  : 0
WinPcapCompatible            : 1



HKLM:\SYSTEM\CurrentControlSet\Services\npcap_wifi:


Start        : 4



HKLM:\SYSTEM\CurrentControlSet\Services\npf:
Not present.
HKLM:\SYSTEM\CurrentControlSet\Services\npf\Parameters:
Not present.
HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi:
Not present.


*************************************************
Service Info:
*************************************************

Status      : Running
Name        : npcap
DisplayName : Npcap Packet Driver (NPCAP)

Get-Service : Cannot find any service with service name 'npf'.
At C:\Program Files\Npcap\DiagReport.ps1:214 char:1
+ Get-Service npf
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (npf:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand
 


*************************************************
Install Info:
*************************************************
Please refer to: C:\Program Files\Npcap\install.log

Additional context

  • I tried ncap 0.992, 1.50, 1.60, 1.70, 1.71
  • wireshark 4.0 works fine with 1.71
@guyharris
Copy link
Contributor

Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap's pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn't fully support, that's an error message that you might get from the pcap compiler.

@guyharris
Copy link
Contributor

guyharris commented Oct 9, 2022

And what was the filter expression?

If, as per my guess in #578, a Wireguard interface has NDIS type NdisMediumIP, which maps to libpcap type DLT_RAW, while filter expressions that test the IP layer and above should work, expression that test stuff below the IP layer, such as anything that tests the link layer, including tests of the packet type that test for anything other than IPv4 or IPv6 packets, will not work.

If, for example, I run the command

tcpdump -r raw-ip-capture.pcap arp

where raw-ip-capture.pcap is a file with a link-layer type of LINKTYPE_RAW, which maps to DLT_RAW:

reading from file raw-ip-capture.pcap, link-type RAW (Raw IP), snapshot length 65535

I get

tcpdump: expression rejects all packets

That happens to e on macOS, with a capture made on an unknown system, but the same behavior will occur with a capture on a DLT_RAW interface on any operating system.

@guyharris
Copy link
Contributor

guyharris commented Oct 9, 2022

And what is the tool you're using for "scanning"? In Nmap issue #nmap/nmap#2381, it says nmap should "verify that the pcap_datalink() type supports ARP before using ARP scan for host discovery on that link"; if the link-layer type of a Wireguard tunnel is NdisMediumIP, which means "raw IP with no link-layer header", and which thus MUST map to DLT_RAW, that link-layer type does not and cannot support ARP packets - it can't support filtering for them, and it can't even support supplying them to programs doing capturing.

@bigretromike
Copy link
Author

bigretromike commented Oct 9, 2022

Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap's pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn't fully support, that's an error message that you might get from the pcap compiler.

I have no idea how I could check the if this is the same value that is in the oem23.inf that is liked in properties of network controler, then its: *MediaType = 19 ; NdisMediumIP

And what was the filter expression?

nmap 10.255.100.1 the 10.255.100.1 is the wireguard endpoint ip on the other side, and its results in error.
namp 10.255.100.3 is working fine but that is the ip of wireguard interface itself on my side (local)
nmap 192.168.20.1 is also not working, this is the network on ther other side of tunnel which traffic is routed thru wireguard tunel.

And what is the tool you're using for "scanning"?

I was reffering to nmap which I would like to use to scan the other side of tunnel.
I found out that using Wireshark which sadly dont give me the functionaly of nmap but use same npcap? (from what I understand) works correct (mayby somekind of workaround?).

DLT_RAW, that link-layer type does not and cannot support ARP packets - it can't support filtering for them, and it can't even support supplying them to programs doing capturing.

Do I understand correctly that for now I cannot use nmap for wireguard tunnels ?
Or is there a way to scan hosts without using ARP ?

edit: I tried with nmap --disable-arp-ping 10.255.100.1 still Error compiling our pcap filter: expression rejects all packets

@guyharris
Copy link
Contributor

Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap's pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn't fully support, that's an error message that you might get from the pcap compiler.

I have no idea how I could check the if this is the same value that is in the oem23.inf that is liked in properties of network controler, then its: *MediaType = 19 ; NdisMediumIP

Yup, that means "packets that begin with an IP header", so it's mapped to DLT_RAW, and the ONLY valid packet types are currently IPv4 packets and IPv6 packets, distinguished by the upper 4 bits of the first octet of the packet. ARP packets are not supported.

And what was the filter expression?

nmap 10.255.100.1

That's the argument to nmap, not a filter expression generated by nmap. That's a question that would have to be answered by an nmap developer, perhaps by an nmap developer changing nmap to report the generated filter when pcap_compile() fails (hint hint).

And what is the tool you're using for "scanning"?

I was reffering to nmap which I would like to use to scan the other side of tunnel. I found out that using Wireshark which sadly dont give me the functionaly of nmap but use same npcap? (from what I understand) works correct (mayby somekind of workaround?).

The "workaround" is

  1. in the few cases where Wireshark generates any part of a capture filter filter, what it generates tests only at the IP layer or above, which isn't by deliberate design, it's by "the stuff it generates is trying to avoid traffic generated by Wireshark itself, which is typically SSH or X11 traffic, so it just filters by host name";
  2. you didn't type anything that involves filtering at a layer below the IP layer into any window field that contains capture filter text.

If you were to try to capture on the Wireguard interface with a filter expression such as "arp", or "ether host XXX", or "ether proto 0x0806', or..., you'd get an error.

Do I understand correctly that for now I cannot use nmap for wireguard tunnels ?

Only if...

Or is there a way to scan hosts without using ARP ?

...there's a way to get nmap not to try to use any filter of the aforementioned sort on that interface.

Note that this is neither WinPcap/Npcap-specific nor Windows-specific:

$ tcpdump -i lo0 arp
tcpdump: expression rejects all packets
$ tcpdump -i lo0 ether host 01:02:03:04:05:06
tcpdump: ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
$ tcpdump -i lo0 isis
tcpdump: expression rejects all packets

This is on macOS, but you'll get the same results (modulo the particular error message) on any other 4.4-Lite-derived OS, as the loopback interface on those OSes does not have a link-layer type that provides an Ethernet header. On Linux, it does, but unless your software is never ever ever going to run on anything other than Linux, you should not rely on the loopback interface providing an Ethernet header when you capture on it.

@guyharris
Copy link
Contributor

It would be best if nmap would avoid doing anything involving MAC addresses - including assuming that a network has MAC addresses and that "ether host"/"ether src"/"ether dst" will work - or packet types other than IPv4 and IPv6, on any link-layer header types other than:

  • DLT_EN10MB;
  • DLT_FDDI;
  • DLT_IEEE802 (which, in practice, really means DLT_IEEE802_5, i.e. 802.5 Token Run);
  • DLT_IEEE802_11;
  • DLT_PRISM_HEADER;
  • DLT_IEEE802_11_RADIO_AVS;
  • DLT_IEEE802_11_RADIO;
  • DLT_PPI;
  • DLT_IP_OVER_FC.

@bigretromike
Copy link
Author

@guyharris that is a lot of wisdom you put on me, thank you very much.

So If I understand correctly the current situation is to wait for/write code that would disable any ARP related actions in nmap. ( I was hoping that -disable-arp-ping was that thing).
Until then one could use tools like wireshark and restrain himself from using any filter that use ARP.

Maybe a bad assumption about higher layer is using valid lower layer or maybe technology and non-standard solution (or future standard) went to much ahead of nmap development 👍

@guyharris
Copy link
Contributor

So If I understand correctly the current situation is to wait for/write code that would disable any ARP related actions in nmap.

Or whatever it is that's causing nmap to generate a filter of some sort that isn't supported for packets that begin with an IP header; from a quick look at the code it appears that nmap may do IPv6 Neighbor Discovery and have a capture filter that checks for some multicast MAC address, but there isn't any MAC address in DLT_RAW packets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants