search

dotpcap / sharppcap

Official repository - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets
1.34k stars 268 forks source link

Npcap loopback adapter is not in the SharpPcap CaptureDeviceList #15

Closed hsluoyz closed 7 years ago

hsluoyz commented 7 years ago

I have installed the Npcap driver, because I want to monitor the windows loopback traffic. However the Npcap Loopback Adapter is not in the SharpPcap CaptureDeviceList.

I can see the Npcap Loopback Adapter in Wireshark and Wireshark is able to monitor the loopback traffic through it based on: https://wiki.wireshark.org/CaptureSetup/Loopback

What should I do to monitor the Npcap Loopback Adapter using SharpPcap?

http://stackoverflow.com/questions/42131550/how-to-monitor-the-windows-loopback-adapter-using-sharppcap-and-npcap

chmorgan commented 7 years ago

Didn't we something else around npcap a number of months ago that was fixed in npcap? I went looking for that issue but couldn't find it...

Were there any api changes in npcap.dll vs. the original winpcap.dll? If someone were to use winpcap.dll from npcap would it be expected that the loopback device would be listed there? I don't believe SharpPcap is doing any kind of device name validation so if the loopback device were in the list provided back by winpcap.dll it should show up... Thoughts?

hsluoyz commented 7 years ago

Hi @chmorgan ,

The first issue I found is that the current SharpPcap doesn't support the Npcap native mode (Npcap DLLs will be installed in System32\Npcap instead of System32). The impact is that the user has to install Npcap with WinPcap Compatible Mode option checked to use it with SharpPcap. Otherwise, SharpPcap cannot find Npcap DLLs. And enabling this option will install another copy of Npcap driver that is compatible with WinPcap (like installing the DLLs to System32), which may affect the performance. So Npcap suggests all its downstream software to support Npcap native mode. Now software like Wireshark, GNS3 has already supported Npcap native mode. Please refer to the docs here for details and implementation guidelines.

hsluoyz commented 7 years ago

I installed latest Npcap 0.80 with Install Npcap in WinPcap API-compatible Mode option checked and ran the Example01.IfList example in the SharpPcap repo, and the output is:

SharpPcap 4.2.0.0, Example1.IfList.cs

The following devices are available on this machine:
----------------------------------------------------

interface: Name: rpcap://\Device\NPF_{9ADACD44-ECFF-45E2-BD5E-3491DEBA711F}
Description: Network adapter 'NdisWan Adapter' on local host
Flags: 0

interface: Name: rpcap://\Device\NPF_{8A300A14-CA5A-4A3C-B52B-7516661B4CDA}
Description: Network adapter 'NdisWan Adapter' on local host
Flags: 0

interface: Name: rpcap://\Device\NPF_{44DB6B7A-661D-4FA3-925E-6287EA48D3F6}
Description: Network adapter 'NdisWan Adapter' on local host
Flags: 0

interface: Name: rpcap://\Device\NPF_{F0353155-69D0-4611-AB2A-EE864BE0ADD9}
FriendlyName: Local Area Connection* 19
GatewayAddress: 0.0.0.0
Description: Network adapter 'Microsoft' on local host
Addresses:
Addr:      fe80::cd59:f5d:81cb:989d
Netmask:
Broadaddr:

Addresses:
Addr:      fe80::cd59:f5d:81cb:989d
Netmask:
Broadaddr:

Addresses:
Addr:      HW addr: E094678FFF3F

Flags: 0

interface: Name: rpcap://\Device\NPF_{385F30D0-9166-45D3-BBC6-F1D9C5300AF9}
FriendlyName: Wi-Fi
GatewayAddress: 192.168.0.1
Description: Network adapter 'Microsoft' on local host
Addresses:
Addr:      fe80::eddc:63ca:cf19:aecd
Netmask:
Broadaddr:

Addresses:
Addr:      192.168.0.109
Netmask:   255.255.255.0
Broadaddr: 0.0.0.0

Addresses:
Addr:      HW addr: E094678FFF3E

Flags: 0

interface: Name: rpcap://\Device\NPF_{1E6769B9-ED4A-454D-A921-EECDA220ADA1}
FriendlyName: Npcap Loopback Adapter
GatewayAddress: 0.0.0.0
Description: Network adapter 'MS NDIS 6.0 LoopBack Driver' on local host
Addresses:
Addr:      fe80::b1cb:57f6:4ebc:6359
Netmask:
Broadaddr:

Addresses:
Addr:      0.0.0.0
Netmask:   255.0.0.0
Broadaddr: 255.255.255.255

Addresses:
Addr:      HW addr: 02004C4F4F50

Flags: 1

Hit 'Enter' to exit...

So obviously the last adapter is the Npcap Loopback Adapter. I don't know why the user cannot monitor the Npcap Loopback Adapter using SharpPcap. I will reply to him about my feedback in Stackoverflow.

I can think of two possible causes:

  1. The user doesn't select the Support loopback traffic ("Npcap Loopback Adapter" will be created) option when installing Npcap.
  2. The user has WinPcap installed too, and Npcap is installed with Install Npcap in WinPcap API-compatible Mode option unchecked. In this way, SharpPcap can only recognize WinPcap and use the original WinPcap DLLs, which doesn't support Npcap Loopback Adapter at all.

My suggestions are:

  1. Uninstall WinPcap if it is installed.
  2. Install latest Npcap 0.80 with Support loopback traffic ("Npcap Loopback Adapter" will be created) and Install Npcap in WinPcap API-compatible Mode options both checked.

Now the user should be able to see the Npcap Loopback Adapter through the SharpPcap interface.

chmorgan commented 7 years ago

I could add npcap support to SharpPcap. It looks npcap is soley for windows. Thoughts on making a NpcapDevice and NpcapDeviceList and hooking that into the capture list code so it will try to find npcap devices before winpcap devices?

hsluoyz commented 7 years ago

You don't need to modify the adapter list. You just need to load the Npcap DLLs. Npcap DLL will provide the correct adapter list.

chmorgan commented 7 years ago

Hmm. I'm not sure DllImport will let me do that transparently, you can set the dll on the DllImport attribute but it doesn't look like you can do that with multiple dlls.

Npcap looks clearly like the future, winpcap has been unmaintained for years now. Thank you for working on that project.

I think we do need a new class to handle the Npcap dll. Where is the api documentation for npcap on the web? I don't see any.

hsluoyz commented 7 years ago

I found that your import wpcap.dll import code is in LibPcapSafeNativeMethods.cs. Is there a way to let this code load wpcap.dll from System32\Npcap first?

Npcap doesn't change the Libpcap API. But since Npcap uses the latest Libpcap 1.8.1 API, it may have difference with the legacy Libpcap 1.0.0 API shipped with WinPcap.

chmorgan commented 7 years ago

Unfortunately it doesn't look like a DllImport can work like that. Thoughts on switching away from Wincap to Npcap and just going that route?

hsluoyz commented 7 years ago

It's similar to our example way for C++. First call SetDllDirectory() to add the C:\Windows\System32\Npcap path to the DLL search paths. Then delay-load wpcap.dll. Since C# is always dynamically loading DLLs, the second step can even be omitted.

I have sent a PR here: https://github.com/chmorgan/sharppcap/pull/16. Tested with Npcap 0.80, WinPcap 4.1.3 and latest SharpPcap. Now SharpPcap will first use Npcap instead of legacy WinPcap.

hsluoyz commented 7 years ago

And the user reports another issue after workarounding this issue: SharpPcap doesn't support DLT_NULL link type, I will report it in another issue.

chmorgan commented 7 years ago

Hi Yang.

Could you attach a .pcap file with a few packets of type DLT_NULL? I'm having trouble capturing them with sharppcap at this point, even using npcap, and having that file would let me add support for it to packet.net while working on the issue with capturing them on the sharppcap/npcap side.

hsluoyz commented 7 years ago

Do you have Wireshark? Just capture on Npcap Loopback Adapter, it will supply you the DLT_NULL packets by default.

I also attached a pcap here, please open it with latest Wireshark. npcap_loopback.zip