Use correct flags to determine fragmented or reassembled packets.

[JasonStephenson]

I've encountered a compatibility issue between my (the company I work for) network driver and wireshark/npcap. When capturing Loopback packets with Wireshark HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters\LoopbackSupport=dword:00000001 my packets fail to inject with NDIS_STATUS_DATA_NOT_ACCEPTED.

I believe this is caused by npcap incorrectly identifying my packets as having been fragmented.
The logic npcap uses to identify this is based on the currentMetadataValues bitset inMetaValues->currentMetadataValues & FWP_CONDITION_FLAG_IS_REASSEMBLED
However as per these docs the currentMetadataValues bitset only identifies which values have been set in the metadata.

When npcap executes inMetaValues->currentMetadataValues & FWP_CONDITION_FLAG_IS_REASSEMBLED what it is actually checking is whether the inMetaValues->transportHeaderSize has been set, because FWP_CONDITION_FLAG_IS_REASSEMBLED and FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE are both 0x400.

What npcap should really be doing is using the FWP_CONDITION_FLAG_IS_REASSEMBLED on the layer dependent flags bitset as per this doc

A question which you may be asking is why would this break packet injection, surely if npcap bails early from it's ClassifyFn then no harm done. Sadly it's not as simple as that, after some digging it looks like
Windows indicates my packets twice to npcaps callout function. The first time with a transport header present (which npcap incorrectly identifies as a fragment) and a second time without a transport header which is processed fully by npcaps callout function. Below is a printout I have performed which demonstrates this. I've also spat out the packet buffer for completeness.

FIRST INDICATION

NPCAP: ---Layer: FWPS_LAYER_OUTBOUND_IPPACKET_V6---
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_IP_LOCAL_ADDRESS: fdeb:af7e:3f3f:1000:4825:a755:dd83:bf23
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_IP_LOCAL_ADDRESS_TYPE: 0x1
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_IP_REMOTE_ADDRESS: fdeb:af7e:3f3f:1000:4825:a755:dd83:bf23
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_IP_LOCAL_INTERFACE: 0x83007f01000000
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_INTERFACE_INDEX: 0x6
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_SUB_INTERFACE_INDEX: 0
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_FLAGS: 0x1
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_INTERFACE_TYPE: 0x83
NPCAP: FWPS_FIELD_OUTBOUND_IPPACKET_V4_TUNNEL_TYPE: 0xf
NPCAP: ---METADATA---
NPCAP: FWPS_METADATA_FIELD_IP_HEADER_SIZE=28
NPCAP: FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE=8
NPCAP: FWPS_METADATA_FIELD_COMPARTMENT_ID=1
NPCAP: FWPS_METADATA_FIELD_PATH_MTU=FFFF
Breakpoint 1 hit
npcap!NPF_NetworkClassify+0x7d:
fffff806`53303b9d 393d75540100    cmp     dword ptr [npcap!dome (fffff806`53319018)],edi
1: kd> !ndiskd.nbl 0xffff8f06`d3578da0 -data
NET_BUFFER ffff8f06d3578f20
  MDL ffff8f06d12eaa70
    ffff8f06d12eab00  60 00 00 00 00 6b 11 80-fd eb af 7e 3f 3f 10 00  `····k·····~??··
    ffff8f06d12eab10  48 25 a7 55 dd 83 bf 23-fd eb af 7e 3f 3f 10 00  H%·U···#···~??··
    ffff8f06d12eab20  48 25 a7 55 dd 83 bf 23                          H%·U···#
  MDL ffff8f06d7a81f10
    ffff8f06d80b0090  dd d8 fe ea 00 6b 1c ab-fd f2 01 00 00 01 00 00  ·····k··········
    ffff8f06d80b00a0  00 00 00 00 19 64 69 72-65 63 74 61 63 63 65 73  ·····directacces
    ffff8f06d80b00b0  73 2d 77 65 62 70 72 6f-62 65 68 6f 73 74 07 65  s-webprobehost·e
    ffff8f06d80b00c0  73 75 70 6c 61 62 05 6c-6f 63 61 6c 00 00 1c 00  suplab·local····
    ffff8f06d80b00d0  01 ef be ad de 01 10 fd-eb af 7e 3f 3f 33 33 00  ··········~??33·
    ffff8f06d80b00e0  00 00 00 00 00 00 01 0c-00 00 00 01 01 00 00 00  ················
    ffff8f06d80b00f0  00 00 05 14 00 00 00 2a-00 00 00                 ·······*···
NPCAP: MISTAKENLY IDENTIFIED AS REASSEMBLED

SECOND INDICATION

NPCAP: ---Layer: FWPS_LAYER_INBOUND_IPPACKET_V6---
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_IP_LOCAL_ADDRESS: fdeb:af7e:3f3f:1000:4825:a755:dd83:bf23
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_IP_REMOTE_ADDRESS: fdeb:af7e:3f3f:1000:4825:a755:dd83:bf23
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_IP_LOCAL_ADDRESS_TYPE: 0x1
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_IP_LOCAL_INTERFACE: 0x83007f01000000
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_INTERFACE_INDEX: 0x6
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_SUB_INTERFACE_INDEX: 0
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_FLAGS: 0x1
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_INTERFACE_TYPE: 0x83
NPCAP: FWPS_FIELD_INBOUND_IPPACKET_V4_TUNNEL_TYPE: 0xf
NPCAP: ---METADATA---
NPCAP: FWPS_METADATA_FIELD_IP_HEADER_SIZE=28
NPCAP: FWPS_METADATA_FIELD_COMPARTMENT_ID=1
Breakpoint 1 hit
npcap!NPF_NetworkClassify+0x7d:
fffff806`53303b9d 393d75540100    cmp     dword ptr [npcap!dome (fffff806`53319018)],edi
1: kd> !ndiskd.nbl 0xffff8f06`d3578da0 -data
NET_BUFFER ffff8f06d3578f20
  MDL ffff8f06d7a81f10
    ffff8f06d80b0090  dd d8 fe ea 00 6b 1c ab-fd f2 01 00 00 01 00 00  ·····k··········
    ffff8f06d80b00a0  00 00 00 00 19 64 69 72-65 63 74 61 63 63 65 73  ·····directacces
    ffff8f06d80b00b0  73 2d 77 65 62 70 72 6f-62 65 68 6f 73 74 07 65  s-webprobehost·e
    ffff8f06d80b00c0  73 75 70 6c 61 62 05 6c-6f 63 61 6c 00 00 1c 00  suplab·local····
    ffff8f06d80b00d0  01 ef be ad de 01 10 fd-eb af 7e 3f 3f 33 33 00  ··········~??33·
    ffff8f06d80b00e0  00 00 00 00 00 00 01 0c-00 00 00 01 01 00 00 00  ················
    ffff8f06d80b00f0  00 00 05 14 00 00 00 2a-00 00 00                 ·······*···

I have done quite a bit of testing with this fix and as far as I can tell I am have no adverse affects on my system. My callout driver does not complain about dropped packets and Wireshark continues to see traffic over the loopback adapter.

Some other variable which may or may not be relevant:

• I am connected to a company network using DirectAccess (an IPSEC VPN) to do some IPSEC compatibility testing.

• Our driver correctly obeys https://docs.microsoft.com/en-us/windows-hardware/drivers/network/developing-ipsec-compatible-callout-drivers

[dmiller-nmap]

Thanks for pointing this out! I'm in the middle of a rather extensive rewrite of our classify function, so your patch won't apply directly, but I see the change that needs to be made and will get it merged correctly with full credit to you. Thanks!

[JasonStephenson]

Do you have any idea which release this work would be done in? I'd like to have it stated in our document which version we're compatible with

[dmiller-nmap]

This change will be released in Npcap 0.9988