Open bigretromike opened 1 year ago
guyharris
commented
1 year ago Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap's pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn't fully support, that's an error message that you might get from the pcap compiler.
guyharris
commented
1 year ago And what was the filter expression?
If, as per my guess in #578, a Wireguard interface has NDIS type NdisMediumIP, which maps to libpcap type DLT_RAW, while filter expressions that test the IP layer and above should work, expression that test stuff below the IP layer, such as anything that tests the link layer, including tests of the packet type that test for anything other than IPv4 or IPv6 packets, will not work.
If, for example, I run the command
tcpdump -r raw-ip-capture.pcap arpwhere raw-ip-capture.pcap is a file with a link-layer type of LINKTYPE_RAW, which maps to DLT_RAW:
reading from file raw-ip-capture.pcap, link-type RAW (Raw IP), snapshot length 65535I get
tcpdump: expression rejects all packetsThat happens to e on macOS, with a capture made on an unknown system, but the same behavior will occur with a capture on a DLT_RAW interface on any operating system.
guyharris
commented
1 year ago And what is the tool you're using for "scanning"? In Nmap issue #nmap/nmap#2381, it says nmap should "verify that the pcap_datalink() type supports ARP before using ARP scan for host discovery on that link"; if the link-layer type of a Wireguard tunnel is NdisMediumIP, which means "raw IP with no link-layer header", and which thus MUST map to DLT_RAW, that link-layer type *does not and cannot* support ARP packets - it can't support filtering for them, and it can't even support supplying them to programs doing capturing.
bigretromike
commented
1 year ago Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap's pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn't fully support, that's an error message that you might get from the pcap compiler.
I have no idea how I could check the if this is the same value that is in the oem23.inf that is liked in properties of network controler, then its: *MediaType = 19 ; NdisMediumIP
And what was the filter expression?
nmap 10.255.100.1 the 10.255.100.1 is the wireguard endpoint ip on the other side, and its results in error.
namp 10.255.100.3 is working fine but that is the ip of wireguard interface itself on my side (local)
nmap 192.168.20.1 is also not working, this is the network on ther other side of tunnel which traffic is routed thru wireguard tunel.
And what is the tool you're using for "scanning"?
I was reffering to nmap which I would like to use to scan the other side of tunnel.
I found out that using Wireshark which sadly dont give me the functionaly of nmap but use same npcap? (from what I understand) works correct (mayby somekind of workaround?).
DLT_RAW, that link-layer type does not and cannot support ARP packets - it can't support filtering for them, and it can't even support supplying them to programs doing capturing.
Do I understand correctly that for now I cannot use nmap for wireguard tunnels ? Or is there a way to scan hosts without using ARP ?
edit: I tried with nmap --disable-arp-ping 10.255.100.1 still Error compiling our pcap filter: expression rejects all packets
guyharris
commented
1 year ago Is this the same issue as #578? If a Wireguard tunnel reports an NdisMedium type that libpcap's pcap-npf maps to a DLT_ type that the libpcap pcap compiler doesn't fully support, that's an error message that you might get from the pcap compiler.
I have no idea how I could check the if this is the same value that is in the oem23.inf that is liked in properties of network controler, then its:
*MediaType = 19 ; NdisMediumIP
Yup, that means "packets that begin with an IP header", so it's mapped to DLT_RAW, and the ONLY valid packet types are currently IPv4 packets and IPv6 packets, distinguished by the upper 4 bits of the first octet of the packet. ARP packets are not supported.
And what was the filter expression?
nmap 10.255.100.1
That's the argument to nmap, not a filter expression generated by nmap. That's a question that would have to be answered by an nmap developer, perhaps by an nmap developer changing nmap to report the generated filter when pcap_compile() fails (hint hint).
And what is the tool you're using for "scanning"?
I was reffering to
nmapwhich I would like to use to scan the other side of tunnel. I found out that using Wireshark which sadly dont give me the functionaly of nmap but use samenpcap?(from what I understand) works correct (mayby somekind of workaround?).
The "workaround" is
If you were to try to capture on the Wireguard interface with a filter expression such as "arp", or "ether host XXX", or "ether proto 0x0806', or..., you'd get an error.
Do I understand correctly that for now I cannot use nmap for wireguard tunnels ?
Only if...
Or is there a way to scan hosts without using ARP ?
...there's a way to get nmap not to try to use any filter of the aforementioned sort on that interface.
Note that this is neither WinPcap/Npcap-specific nor Windows-specific:
$ tcpdump -i lo0 arp
tcpdump: expression rejects all packets
$ tcpdump -i lo0 ether host 01:02:03:04:05:06
tcpdump: ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
$ tcpdump -i lo0 isis
tcpdump: expression rejects all packetsThis is on macOS, but you'll get the same results (modulo the particular error message) on any other 4.4-Lite-derived OS, as the loopback interface on those OSes does not have a link-layer type that provides an Ethernet header. On Linux, it does, but unless your software is never ever ever going to run on anything other than Linux, you should not rely on the loopback interface providing an Ethernet header when you capture on it.
guyharris
commented
1 year ago It would be best if nmap would avoid doing anything involving MAC addresses - including assuming that a network has MAC addresses and that "ether host"/"ether src"/"ether dst" will work - or packet types other than IPv4 and IPv6, on any link-layer header types other than:
DLT_EN10MB;DLT_FDDI;DLT_IEEE802 (which, in practice, really means DLT_IEEE802_5, i.e. 802.5 Token Run);DLT_IEEE802_11;DLT_PRISM_HEADER;DLT_IEEE802_11_RADIO_AVS;DLT_IEEE802_11_RADIO;DLT_PPI;DLT_IP_OVER_FC.bigretromike
commented
1 year ago @guyharris that is a lot of wisdom you put on me, thank you very much.
So If I understand correctly the current situation is to wait for/write code that would disable any ARP related actions in nmap. ( I was hoping that -disable-arp-ping was that thing).
Until then one could use tools like wireshark and restrain himself from using any filter that use ARP.
Maybe a bad assumption about higher layer is using valid lower layer or maybe technology and non-standard solution (or future standard) went to much ahead of nmap development 👍
guyharris
commented
1 year ago So If I understand correctly the current situation is to wait for/write code that would disable any ARP related actions in nmap.
Or whatever it is that's causing nmap to generate a filter of some sort that isn't supported for packets that begin with an IP header; from a quick look at the code it appears that nmap may do IPv6 Neighbor Discovery and have a capture filter that checks for some multicast MAC address, but there isn't any MAC address in DLT_RAW packets.
Describe the bug I'm trying to scan network that is on the other side of wireguard tunnel. That will results in:
Error compiling our pcap filter: expression rejects all packets. Scaning with same setup my local network is working correct.To Reproduce Steps to reproduce the behavior:
Error compiling our pcap filter: expression rejects all packets.Expected behavior I should be able to scan host on other side of Wireguard tunnel
Diagnostic information
OS Info:
Caption : Microsoft Windows 11 Pro BuildNumber : 22621 Locale : 0415 MUILanguages : {pl-PL} OSArchitecture : 64-bitowy ServicePackMajorVersion : 0 ServicePackMinorVersion : 0 SystemDirectory : C:\WINDOWS\system32 Version : 10.0.22621
CPU Info:
Name : Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz Manufacturer : GenuineIntel DeviceID : CPU0 NumberOfCores : 4 NumberOfEnabledCore : 4 NumberOfLogicalProcessors : 4 Addresswidth : 64
Memory Info:
Size: 16328 MB (17121157120 Bytes)
Network Adapter(s) Info:
Caption : [00000001] Realtek PCIe GbE Family Controller GUID : {8A0D060B-B2AC-4F17-8825-39AD4B290058} Index : 1 InterfaceIndex : 14 Manufacturer : Realtek MACAddress : D4:3D:7E:D7:12:A9 Speed : 1000000000 NetConnectionID : Ethernet 2 NetConnectionStatus : 2 PNPDeviceID : PCI\VEN_10EC&DEV_8168&SUBSYS_78511462&REV_0C\4&27483E63&0&00E2 ServiceName : rt640x64 AdapterType : Ethernet 802.3
Caption : [00000002] VirtualBox Host-Only Ethernet Adapter GUID : {9D3030CA-93D1-4788-A1B4-F0F1A0841F51} Index : 2 InterfaceIndex : 16 Manufacturer : Oracle Corporation MACAddress : 0A:00:27:00:00:10 Speed : 1000000000 NetConnectionID : VirtualBox Host-Only Network NetConnectionStatus : 2 PNPDeviceID : ROOT\NET\0000 ServiceName : VBoxNetAdp AdapterType : Ethernet 802.3
Caption : [00000003] LogMeIn Hamachi Virtual Ethernet Adapter GUID : {3D02AAFD-8417-4D65-813F-6B347290BEC8} Index : 3 InterfaceIndex : 8 Manufacturer : LogMeIn Inc. MACAddress : Speed : NetConnectionID : Hamachi NetConnectionStatus : 4 PNPDeviceID : ROOT\NET\0001 ServiceName : Hamachi AdapterType :
Caption : [00000004] Realtek PCIe GbE Family Controller GUID : {E1B39525-36AE-4B42-A340-6B79AAFB2AB7} Index : 4 InterfaceIndex : 20 Manufacturer : Realtek MACAddress : D4:3D:7E:D7:12:A8 Speed : 9223372036854775807 NetConnectionID : Ethernet NetConnectionStatus : 7 PNPDeviceID : PCI\VEN_10EC&DEV_8168&SUBSYS_78511462&REV_0C\4&17B0DE03&0&00E3 ServiceName : rt640x64 AdapterType : Ethernet 802.3
Caption : [00000005] Intel(R) Centrino(R) Wireless-N 2230 GUID : {046D88C9-EAB1-4315-805A-E0FCA2CCFDB4} Index : 5 InterfaceIndex : 2 Manufacturer : Intel Corporation MACAddress : 68:17:29:41:18:83 Speed : 9223372036854775807 NetConnectionID : Wi-Fi NetConnectionStatus : 7 PNPDeviceID : PCI\VEN_8086&DEV_0887&SUBSYS_40628086&REV_C4\4&33814C64&0&00E4 ServiceName : NETwNe64 AdapterType : Ethernet 802.3
Caption : [00000017] WireGuard Tunnel GUID : {0B55DCEC-2AB9-BD10-80FF-D7A77973D76B} Index : 17 InterfaceIndex : 58 Manufacturer : WireGuard LLC MACAddress : Speed : 100000000000 NetConnectionID : DataCenter01 NetConnectionStatus : 2 PNPDeviceID : SWD\WIREGUARD{0B55DCEC-2AB9-BD10-80FF-D7A77973D76B} ServiceName : WireGuard AdapterType :
NDIS Light-Weight Filter (LWF) Info:
HKLM:\SYSTEM\CurrentControlSet\Control\Network{4d36e974-e325-11ce-bfc1-08002be10318}*:
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262144 ComponentId : ms_bridge Description : @%SystemRoot%\system32\bridgeres.dll,-2 InfPath : netbrdg.inf InfSection : Install LocDescription : @%SystemRoot%\system32\bridgeres.dll,-2
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262184 ComponentId : ms_wfplwf_lower Description : @%windir%\System32\drivers\wfplwfs.sys,-6006 InfPath : wfplwfs.inf InfSection : WfpLwf_Lower_Install LocDescription : @%windir%\System32\drivers\wfplwfs.sys,-6006
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 40 ComponentId : ms_netbios Description : @%windir%\system32\drivers\netbios.sys,-501 InfPath : netnb.inf InfSection : NetBIOS.ndi LocDescription : @%windir%\system32\drivers\netbios.sys,-501
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262200 ComponentId : ms_ndiscap Description : @%windir%\System32\drivers\ndiscap.sys,-5000 InfPath : ndiscap.inf InfSection : Install LocDescription : @%windir%\System32\drivers\ndiscap.sys,-5000
InstallTimeStamp : {221, 7, 12, 0...} ComponentId : ms_server Description : @%systemroot%\system32\srvsvc.dll,-109 InfPath : Netserv.inf InfSection : Install.ndi LocDescription : @%systemroot%\system32\srvsvc.dll,-109
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262144 ComponentId : vms_vsf Description : @%windir%\System32\drivers\vmswitch.sys,-60005 InfPath : wvms_vsft.inf InfSection : VMSVSF.ndi LocDescription : @%windir%\System32\drivers\vmswitch.sys,-60005
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262184 ComponentId : ms_vwifi Description : @%windir%\System32\drivers\vwififlt.sys,-105 InfPath : netvwififlt.inf InfSection : Install LocDescription : @%windir%\System32\drivers\vwififlt.sys,-105
InstallTimeStamp : {230, 7, 9, 0...} Characteristics : 262144 ComponentId : oracle_VBoxNetLwf Description : @oem15.inf,%vboxnetlwf_desc%;VirtualBox NDIS6 Bridged Networking Driver InfPath : oem15.inf InfSection : VBoxNetLwf.ndi LocDescription : @oem15.inf,%vboxnetlwf_desc%;VirtualBox NDIS6 Bridged Networking Driver
InstallTimeStamp : {230, 7, 10, 0...} Characteristics : 262144 ComponentId : insecure_npcap Description : @oem32.inf,%npf_desc_standard%;Npcap Packet Driver (NPCAP) InfPath : oem32.inf InfSection : FilterStandard LocDescription : @oem32.inf,%npf_desc_standard%;Npcap Packet Driver (NPCAP)
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262144 ComponentId : ms_pacer Description : @%windir%\System32\drivers\pacer.sys,-101 InfPath : netpacer.inf InfSection : Install LocDescription : @%windir%\System32\drivers\pacer.sys,-101
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262184 ComponentId : ms_wfplwf_upper Description : @%windir%\System32\drivers\wfplwfs.sys,-6005 InfPath : wfplwfs.inf InfSection : WfpLwf_Upper_Install LocDescription : @%windir%\System32\drivers\wfplwfs.sys,-6005
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262184 ComponentId : ms_nativewifip Description : @%windir%\System32\drivers\nwifi.sys,-101 InfPath : netnwifi.inf InfSection : MS_NWIFI.Install LocDescription : @%windir%\System32\drivers\nwifi.sys,-101
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262144 ComponentId : ms_wfplwf_vswitch Description : @%windir%\System32\drivers\wfplwfs.sys,-6004 InfPath : wfplwfs.inf InfSection : WfpLwf_vSwitch_Install LocDescription : @%windir%\System32\drivers\wfplwfs.sys,-6004
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262144 ComponentId : ms_l2bridge Description : @%SystemRoot%\System32\drivers\l2bridge.sys,-5000 InfPath : l2bridge.inf InfSection : Install LocDescription : @%SystemRoot%\System32\drivers\l2bridge.sys,-5000
InstallTimeStamp : {221, 7, 12, 0...} Characteristics : 262184 ComponentId : ms_winvfp Description : Microsoft Azure VFP Switch Filter Extension InfPath : vfpfilter.inf InfSection : Install LocDescription : Microsoft Azure VFP Switch Filter Extension
Name DisplayName ComponentID Enabled
Ethernet Npcap Packet Driver (NPCAP) insecure_npcap True
VirtualBox Host-Only Network Npcap Packet Driver (NPCAP) insecure_npcap True
Ethernet 2 Npcap Packet Driver (NPCAP) insecure_npcap True
Hamachi Npcap Packet Driver (NPCAP) insecure_npcap True
DataCenter01 Npcap Packet Driver (NPCAP) insecure_npcap True
Wi-Fi Npcap Packet Driver (NPCAP) insecure_npcap True
File Info:
LastWriteTime : 18.08.2022 19:49:28 Length : 815 Name : CheckStatus.bat
LastWriteTime : 09.10.2022 00:34:58 Length : 0 Name : DiagReport-20221009-003458.txt
LastWriteTime : 18.08.2022 19:49:28 Length : 1042 Name : DiagReport.bat
LastWriteTime : 18.08.2022 19:49:28 Length : 18078 Name : DiagReport.ps1
LastWriteTime : 18.08.2022 19:49:28 Length : 2513 Name : FixInstall.bat
LastWriteTime : 09.10.2022 00:19:54 Length : 35382 Name : install.log
LastWriteTime : 18.08.2022 19:49:28 Length : 11547 Name : LICENSE
LastWriteTime : 19.08.2022 21:59:06 Length : 12707 Name : npcap.cat
LastWriteTime : 19.08.2022 21:59:06 Length : 8844 Name : npcap.inf
LastWriteTime : 19.08.2022 21:59:06 Length : 77336 Name : npcap.sys
LastWriteTime : 19.08.2022 21:59:06 Length : 2433 Name : npcap_wfp.inf
LastWriteTime : 19.08.2022 21:09:18 Length : 308176 Name : NPFInstall.exe
LastWriteTime : 09.10.2022 00:19:36 Length : 55015 Name : NPFInstall.log
LastWriteTime : 19.08.2022 22:00:14 Length : 1081352 Name : Uninstall.exe
Path : C:\Program Files\Npcap\npcap.cat Status : Valid StatusMessage : Signature verified. Thumbprint : 451B7F8A4C0E669189E9382A09E423C2B875AD42
Path : C:\Program Files\Npcap\npcap.inf Status : Valid StatusMessage : Signature verified. Thumbprint : 451B7F8A4C0E669189E9382A09E423C2B875AD42
Path : C:\Program Files\Npcap\npcap.sys Status : Valid StatusMessage : Signature verified. Thumbprint : 451B7F8A4C0E669189E9382A09E423C2B875AD42
Path : C:\Program Files\Npcap\NPFInstall.exe Status : Valid StatusMessage : Signature verified. Thumbprint : 3C0D087ECDCC76D1084ABE00F1FEE5040400AE37
Path : C:\Program Files\Npcap\Uninstall.exe Status : Valid StatusMessage : Signature verified. Thumbprint : 3C0D087ECDCC76D1084ABE00F1FEE5040400AE37
LastWriteTime : 19.08.2022 21:09:20 Length : 156624 Name : NpcapHelper.exe
LastWriteTime : 19.08.2022 21:09:18 Length : 219600 Name : Packet.dll
LastWriteTime : 19.08.2022 21:09:20 Length : 266704 Name : WlanHelper.exe
LastWriteTime : 19.08.2022 21:09:20 Length : 489424 Name : wpcap.dll
LastWriteTime : 19.08.2022 21:09:20 Length : 156624 Name : NpcapHelper.exe
LastWriteTime : 19.08.2022 21:09:18 Length : 219600 Name : Packet.dll
LastWriteTime : 19.08.2022 21:09:20 Length : 266704 Name : WlanHelper.exe
LastWriteTime : 19.08.2022 21:09:20 Length : 489424 Name : wpcap.dll
WinPcap Info:
HKLM:\SOFTWARE\WOW6432Node\WinPcap: Not present.
Registry Info:
HKLM:\SOFTWARE\WOW6432Node\Npcap:
AdminOnly : 0 WinPcapCompatible : 1 (default) : C:\Program Files\Npcap
HKLM:\SYSTEM\CurrentControlSet\Services\npcap:
Type : 1 Start : 1 ErrorControl : 1 Tag : 32 ImagePath : \SystemRoot\system32\DRIVERS\npcap.sys DisplayName : @oem32.inf,%NPF_Desc_Standard%;Npcap Packet Driver (NPCAP) Group : NDIS Description : @oem32.inf,%NPF_Desc_Standard%;Npcap Packet Driver (NPCAP) NdisMajorVersion : 6 NdisMinorVersion : 50 DriverMajorVersion : 1 DriverMinorVersion : 71
HKLM:\SYSTEM\CurrentControlSet\Services\npcap\Parameters:
LoopbackSupport : 1 DltNull : 1 Edition : Npcap AdminOnly : 0 Dot11Support : 0 NdisImPlatformBindingOptions : 2 DefaultFilterSettings : 1 VlanSupport : 0 WinPcapCompatible : 1
HKLM:\SYSTEM\CurrentControlSet\Services\npcap_wifi:
Start : 4
HKLM:\SYSTEM\CurrentControlSet\Services\npf: Not present. HKLM:\SYSTEM\CurrentControlSet\Services\npf\Parameters: Not present. HKLM:\SYSTEM\CurrentControlSet\Services\npf_wifi: Not present.
Service Info:
Status : Running Name : npcap DisplayName : Npcap Packet Driver (NPCAP)
Get-Service : Cannot find any service with service name 'npf'. At C:\Program Files\Npcap\DiagReport.ps1:214 char:1
Install Info:
Please refer to: C:\Program Files\Npcap\install.log