On Aug 18, 2015, at 9:50 PM, Yang Luo <hslu...@gmail.com> wrote: > Current fake Ethernet encapsulation of Npcap refers to the Linux > implementation (actually is Ubuntu, as I am only familiar with it for a Linux > system). I don't own a OS X computer now so I can't test or use it. One > question is is NULL/Loopback encapsulation a widespread protocol standard > like Ethernet?
DLT_NULL is not a published standard, but it's used for loopback devices on 1) the most common desktop UNIX (no, it's not anything Linux-based, it's BSD-flavored) and 2) the second most common smartphone/tablet UN*X as well as on FreeBSD, NetBSD, and DragonFly BSD. DLT_LOOP is used on OpenBSD. A program that can't handle DLT_NULL or DLT_LOOP *cannot* handle loopback device captures from any of those OSes. > Also What I am worried about is that is NULL/Loopback encapsulation type > compatible with other softwares? Like Nmap, NetScanTools, etc. I don't know > if they have a smart dissector like packet-null.c in Wireshark to tell it's a > loopback packet coming. There's nothing "smart" needed - Wireshark's just working around some screwups in some OSes that mistakenly use DLT_NULL for things that didn't have a DLT_NULL link-layer header. All a program needs to do is catch DLT_NULL and DLT_LOOP, fetch the 4-byte header, and compare it against 2 for IPv4 and against various values for IPv6. Tcpdump had support for it before Wireshark even *existed*, even under the name Ethereal. Look at null_if_print() in print-null.c in the tcpdump source - it doesn't bother with the "smart" stuff. Nmap handles it, except for libnetutil/netutil.cc, which doesn't handle *anything* other than DLT_EN10MB and DLT_LINUX_SLL - that code can't handle PPP on anything other than Linux (and that only because Linux doesn't, or at least didn't, bother to supply a useful link-layer header for PPP, so libpcap falls back on cooked mode so it can get *some* packet information). NetScanTools - unknown, but, as they're Windows-only and use WinPcap, they might not bother handling DLT_NULL/DLT_LOOP, as WinPcap hasn't supplied them. The "Packet Capture Tool" can save a pcap file and presumably can read a saved file: http://www.netscantools.com/nstpro_packet_capture.html "Saving the capture or a specific packet is fully supported and you can reload a capture later for future analysis." but if all they support is reading files saved from the "Packet Capture Tool", they might not support any DLT_/LINKTYPE_ values that you don't get from WinPcap. > Moreover, I found a link: > https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion. > It seems that some softwares did have problem with NULL/Loopback > encapsulation, Yeah, another tool that didn't bother with DLT_NULL/DLT_LOOP. Perhaps Riverbed fixed that after buying OpNet. > so could you tell me the advantages of this method except saving 10 bytes > (Ethernet is 14 bytes without the checksum)? Not confusing people into thinking that they have an Ethernet capture with meaningful source and destination addresses in the capture? ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe