search

nmap / npcap

Nmap Project's Windows packet capture and transmission library
https://npcap.com
Other
2.91k stars 509 forks source link

vlan-tagging is missing #171

Open Schattenschimmer opened 4 years ago

Schattenschimmer commented 4 years ago

It would be very good to see the packets oder frames with the vlan id if it's tagged. It works with win10pcap, but not with npcap.

Is it possible to realize this feature?

Many thanks!

guyharris commented 4 years ago

It may be that VLAN-tagged packets might be indicated to NDIS with a NDIS_NET_BUFFER_LIST_8021Q_INFO structure, such that you have to extract data from that structure, if present, and insert the VLAN tag back into the packet after the source address in received packets.

If you're transmitting packets, you may also have to remove the VLAN tag and add that structure for devices that have the NDIS_MAC_OPTION_8021Q_VLAN flag set in the MAC options.

Str1ker17 commented 4 years ago

Yes! I just installed Win10pcap over npcap and REALLY miss this feature in npcap! @guyharris probably we can do it ourselves in collaboration. Does it look complex?

guyharris commented 3 years ago

Note that this complicates packet filtering; that happens before the packet is copied to the buffer (so that we don't waste CPU time or buffer space on packets uninteresting to the person or program doing the capturing), so the VLAN tag is out-of-band data and a simple load from the mbuf chainmemory descriptor list won't fetch it.

The good news is that Linux has the exact same issue, as it can also remove VLAN tags so that they're out-of-band data that 1) needs to be handled specially by generated BPF code and 2) must be reinserted into the packet data before being handed to libpcap's caller.

For BPF, Linux's in-kernel BPF code allows some "special" packet offsets, with the uppermost bit set (so that, if interpreted as signed, they're negative) that refer to packet metadata. See the "Possible BPF extensions are shown in the following table" table in Linux Socket Filtering aka Berkeley Packet Filter (BPF). (Its BPF code translates BPF programs to eBPF programs, and the latter might be interpreted or translated to machine code, so finding the code that implements this in the Linux kernel is a bit of work, and, besides, that code is under GPLv2; see, instead, the case BPF_LD|BPF_B|BPF_ABS code in libpcap's bpf_filter.c.)

For re-inserting the VLAN tag, the Linux kernel doesn't do that - it just makes the metadata available; libpcap re-inserts the VLAN tag. For NPF, given that the driver is copying from the MDL to the buffer anyway, it might make sense to re-insert the VLAN tag in that process.