search

nmap / nmap

Nmap - the Network Mapper. Github mirror of official SVN repository.
https://svn.nmap.org/
Other
10.17k stars 2.4k forks source link

NPcap fails for PacketRequest(OID_GEN_MEDIA_CONNECT_STATUS) #1127

Closed pstavirs closed 6 years ago

pstavirs commented 6 years ago

For the following application code -

    memset(linkStateOid_, 0, sizeof(PACKET_OID_DATA) + sizeof(uint));
    linkStateOid_->Oid = OID_GEN_MEDIA_CONNECT_STATUS;
    linkStateOid_->Length = sizeof(uint);
    if (PacketRequest(adapter_, 0, linkStateOid_))
        . . .

the PacketRequest call works with WinPcap, but returns false with NPcap

Full application code - https://github.com/pstavirs/ostinato/blob/master/server/winpcapport.cpp#L66

MSFT OID Ref: https://docs.microsoft.com/en-us/windows-hardware/drivers/network/oid-gen-media-connect-status

The above MSFT ref says -

NDIS handles this OID for NDIS 6.0 and later miniport drivers.

So, my guess is it is expected to automatically work with NPcap - but it doesn't

dmiller-nmap commented 6 years ago

Npcap is not a miniport driver, but a Lightweight Filter Driver. Jeffrey Tippet of Microsoft noted on ntdev:

LWFs are not allowed to query certain deprecated OIDs, including OID_GEN_LINK_SPEED, OID_GEN_MEDIA_CONNECT_STATUS, and OID_GEN_MAXIMUM_FRAME_SIZE. These queries will always fail. Instead, query OID_GEN_LINK_STATE.

dmiller-nmap commented 6 years ago

Sorry, that was a little abrupt. Thanks for reporting this! I learned something valuable. Is there somewhere in Npcap's documentation that you would expect to find this information? Maybe we can make it easier to avoid in the future.

pstavirs commented 6 years ago

@dmiller-nmap I would suggest adding a Compatitibility with WinPcap section to https://nmap.org/npcap/guide/npcap-devguide.html with these details. This section can be expanded in the future if any other similar incompatibility is found.

Additionally, I would suggest to consider internally mapping the deprecated OIDs to the new OID to address this so that applications can still use NPCAP as a drop-in replacement for WinPCAP without having to change any code - if you don't want to do this after due consideration, that's fine too.

guyharris commented 6 years ago

OID_GEN_MEDIA_CONNECT_STATUS_EX might also work; Tippet's post didn't mention it as allowed, but also didn't mention it as forbidden, and I thought I saw something on a Microsoft site indicate that it's what OID_GEN_MEDIA_CONNECT_STATUS was deprecated in favor of.

Nevertheless, I just checked a change into the libpcap master branch to use OID_GET_LINK_STATE rather than OID_GEN_MEDIA_CONNECT_STATUS_EX, just in case. (libpcap 1.9 will support more flags in the flags field of the structures provided by pcap_findalldevs() and pcap_findalldevs_ex(), with flags indicating whether a device is wireless and a field indicating whether the device is "connected", "disconnected", "unknown", or "a device for which the connection status is inapplicable", with "connected" and "disconnected" meaning "associated with a network" and "not associated with a network" for wireless devices. There's currently support for the new flags on Linux, macOS, *BSD, and Windows with WinPcap/Npcap, although it's currently untested with Npcap; I need to set up a new VM to test 1) post-Windows 7 Windows and 2) Npcap.

(Is there some way to easily switch between WinPcap and Npcap for testing purposes?)

pstavirs commented 4 years ago

To close the loop on this, OID_GEN_MEDIA_CONNECT_STATUS and OID_GEN_MEDIA_CONNECT_STATUS_EX do not work with npcap (v0.9987) and Win10, but OID_GEN_LINK_STATE works.

However, none of the above including OID_GEN_LINK_STATE works with the following adaptors -

Any ideas why?