search

nmap / nmap

Nmap - the Network Mapper. Github mirror of official SVN repository.
https://svn.nmap.org/
Other
9.99k stars 2.38k forks source link

Npcap loopback adapter installed as Type=Ethernet #1585

Closed gghart closed 5 years ago

gghart commented 5 years ago

When we upgraded Wireshark from 2.x to 3.x and switched to Npcap, we noticed that some of our networking code was having issues, which seems to be related to Npcap setting the incorrect interface type in Windows.

In C#, we search for valid adapters with this code:

// Eliminate on a few other conditions too foreach (var ni in NetworkInterface.GetAllNetworkInterfaces()) { // Bad states if (ni.OperationalStatus != OperationalStatus.Up) { EventLogging.LogEvent(Severity.Info, "Skipping interface " + ni.Name + " since it is not up (State=" + ni.OperationalStatus + ")"); continue; }

            if (ni.NetworkInterfaceType == NetworkInterfaceType.Loopback))
            {
                EventLogging.LogEvent(Severity.Info, "Skipping interface " + ni.Name + " since it is a loopback");
                continue;
            }

            return true;
        }

This does not work with Npcap interfaces because the type is set to Ethernet, not Loopback:

{System.Net.NetworkInformation.SystemNetworkInterface} Description: "Npcap Loopback Adapter" Id: "{94E3ED9F-6A53-4FBB-A93E-DB6BC2DB7120}" IsReceiveOnly: false Name: "Npcap Loopback Adapter" NetworkInterfaceType: Ethernet <----- OperationalStatus: Up Speed: 1215752192 SupportsMulticast: true

Winpcap set NetworkInterfaceType = NetworkInterfaceType.Loopback, which seems to make sense given the description, but Npcap is using NetworkInterfaceType.Ethernet, which does not seem appropriate.

Please confirm,

Thanks,

Geoff

guyharris commented 5 years ago

Winpcap set NetworkInterfaceType = NetworkInterfaceType.Loopback,

No, it didn't - there is no loopback device with WinPcap. There's a reason why the device is called the "Npcap Loopback Adapter"; if you had an Npcap Loopback Adapter with Wireshark 2.x, it's because somebody installed Npcap on your machine, and you may have had an older version than the one the installer for which is bundled with Wireshark 3.0.

Note that Wireshark 3.0.1, not 3.0, is the current version, and it is bundled with an installer for Npcap 0.992; you currently have Wireshark 3.0.0, with Npcap 0.99-r9, installed, according to the version information in your Wireshark bug report. You might want to try updating to 3.0.1.

which seems to make sense given the description, but Npcap is using NetworkInterfaceType.Ethernet, which does not seem appropriate.

I'm not sure how .NET creates the NetworkInterfaceType value for an interface - the NDIS medium types don't match with the NetworkInterfaceTypes - but there is an NdisMediumLoopback NDIS medium type.

The Npcap Loopback Adapter, when Yang Luo was developing it, originally, as I remember, offered fake Ethernet headers (which is not unprecedented - that's what Linux does); I may have suggested going with the BSD DLT_NULL header, which obviates the need to fake a source or destination address, but does mean that packets other than IPv4 or IPv6 packets may not have their packet types representable. I don't remember whether he ended up going with the DLT_NULL header only, or with a configuration option to control which header to use. If it's a configuration option, how does that get set?

dmiller-nmap commented 5 years ago

The Npcap Loopback Adapter is pretty much a vanilla/unmodified installation of the Microsoft KM-TEST Loopback Adapter, so it inherits all these values from there. We do make one change, marking the adapter as an endpoint adapter and not a network adapter (See #653), but when we tried to set other values like Physical Medium, there were inconsistencies in how those were treated in the different versions of Windows. Some would overwrite our settings, others would pause network connectivity, etc.

gghart commented 5 years ago

@guyharris You're definitely right about Wireshark 2.x; that loopback adapter is from someone else - which we only found when we rebuilt a test machine from scratch. Getting ridding of WinPcap was awesome though, that fixes some serious side-effects!!

The first reports we got of issues with our app were when people installed Wireshark 3.x and got the Npcap Loopback adapter from there. We have tested against 3.0 and 3.0.1 with both versions of Npcap and they behave the same.

It's not a particularly serious problem, but it is kind of a weird one to see it reported as Ethernet instead of Loopback in C#.

For now, we've just changed our code to ignore Type loopback or name contains loopback. You can feel free to address it or ignore it; just reported it as it seems odd to us.

dmiller-nmap commented 5 years ago

Thanks for the report! The Npcap Loopback Adapter was known to cause problems with some software, so we removed the need for it in Npcap 0.9983, released today. Be sure to deselect (un-check) the "Legacy loopback support" to get the new loopback capture support without cluttering up the list of real network adapters. Let us know how it works for you.

gghart commented 5 years ago

Resolved in Npcap 0.9983 - thanks!