Closed hsluoyz closed 7 years ago
chmorgan
commented
7 years ago I created a pull request for null support and tried to tag you on the change.
The only confusing part is proper byte swapping. It is recorded in the byte order of the machine that it was recorded on, which, as the documentation indicates, may not match the machine the file is being accessed on.
hsluoyz
commented
7 years ago This is a good question. In fact, there's already a discussion about it here: http://seclists.org/wireshark/2016/Sep/82.
Simply speaking, libpcap regards 24, 28, 30 all as IPV6 in DLT_NULL. I saw you did the same thing in the code, so it's along the right way:)
hsluoyz
commented
7 years ago PR is here: https://github.com/chmorgan/packetnet/pull/16
A Stackoverflow user complains this issue here: http://stackoverflow.com/questions/42131550/how-to-monitor-the-windows-loopback-adapter-using-sharppcap-and-npcap
This is because by default, Npcap provides the data link layer header in DLT_NULL instead of Ethernet. And the PacketDotNet library SharpPcap uses doesn't support DLT_NULL. DLT_NULL is the standard interface for a loopback device on Linux. This is why Npcap also adopts it as the 2nd layer encapsulation for Npcap Loopback Adapter. The details can be found here:
http://www.tcpdump.org/linktypes.html https://github.com/nmap/nmap/issues/200
So the best solution seems to implement DLT_NULL for PacketDotNet. The exception seems to be triggered here: https://github.com/chmorgan/packetnet/blob/master/PacketDotNet/Packet.cs#L327
The implementation should be very simple: DLT_NULL only contains 4 bytes:
0x02, 0x00, 0x00, 0x00for IPv4 payload and0x18, 0x00, 0x00, 0x00for IPv6 payload, both in network order.In fact, Nmap, Wireshark and Libpcap have a discussion about the IPv6 value and finally agree on
0x18on Windows platform. The discussion archive is here: http://seclists.org/wireshark/2015/Aug/182