dmiller-nmap
commented
2 years ago This is currently implemented as PacketSetLoopbackBehavior(NPF_DISABLE_LOOPBACK). As discussed in #544, structural differences between WinPcap and Npcap prevent complete compatibility of features between the two in this case. A better approach will be to implement something like #546 to control whether packets are injected as Send or Receive indications (or potentially both?) and to continue to use NPF_DISABLE_LOOPBACK to mean "don't capture injected packets" as suggested by the libpcap API constant name PCAP_OPENFLAG_NOCAPTURE_LOCAL. Exposing implementation details like the NDIS loopback data path is just asking for incompatibilities with future NDIS versions. We should not be worried about maintaining WinPcap compatibility to such an extent, since WinPcap is retired and applications can insist on Npcap of a certain version or feature set.
As explained in #544 injected packets are sent to the miniport, looped back to the protocols and captured by npcap.
There should be a way to easily detect or suppress the capturing of injected packets.