On Aug 18, 2015, at 9:50 PM, Yang Luo <hslu...@gmail.com> wrote:
> Current fake Ethernet encapsulation of Npcap refers to the Linux
> implementation (actually is Ubuntu, as I am only familiar with it for a Linux
> system). I don't own a OS X computer now so I can't test or use it. One
> question is is NULL/Loopback encapsulation a widespread protocol standard
> like Ethernet?
DLT_NULL is not a published standard, but it's used for loopback devices on
1) the most common desktop UNIX (no, it's not anything Linux-based,
it's BSD-flavored)
and
2) the second most common smartphone/tablet UN*X
as well as on FreeBSD, NetBSD, and DragonFly BSD. DLT_LOOP is used on OpenBSD.
A program that can't handle DLT_NULL or DLT_LOOP *cannot* handle loopback
device captures from any of those OSes.
> Also What I am worried about is that is NULL/Loopback encapsulation type
> compatible with other softwares? Like Nmap, NetScanTools, etc. I don't know
> if they have a smart dissector like packet-null.c in Wireshark to tell it's a
> loopback packet coming.
There's nothing "smart" needed - Wireshark's just working around some screwups
in some OSes that mistakenly use DLT_NULL for things that didn't have a
DLT_NULL link-layer header. All a program needs to do is catch DLT_NULL and
DLT_LOOP, fetch the 4-byte header, and compare it against 2 for IPv4 and
against various values for IPv6.
Tcpdump had support for it before Wireshark even *existed*, even under the name
Ethereal. Look at null_if_print() in print-null.c in the tcpdump source - it
doesn't bother with the "smart" stuff.
Nmap handles it, except for libnetutil/netutil.cc, which doesn't handle
*anything* other than DLT_EN10MB and DLT_LINUX_SLL - that code can't handle PPP
on anything other than Linux (and that only because Linux doesn't, or at least
didn't, bother to supply a useful link-layer header for PPP, so libpcap falls
back on cooked mode so it can get *some* packet information).
NetScanTools - unknown, but, as they're Windows-only and use WinPcap, they
might not bother handling DLT_NULL/DLT_LOOP, as WinPcap hasn't supplied them.
The "Packet Capture Tool" can save a pcap file and presumably can read a saved
file:
http://www.netscantools.com/nstpro_packet_capture.html
"Saving the capture or a specific packet is fully supported and you can reload
a capture later for future analysis."
but if all they support is reading files saved from the "Packet Capture Tool",
they might not support any DLT_/LINKTYPE_ values that you don't get from
WinPcap.
> Moreover, I found a link:
> https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion.
> It seems that some softwares did have problem with NULL/Loopback
> encapsulation,
Yeah, another tool that didn't bother with DLT_NULL/DLT_LOOP. Perhaps Riverbed
fixed that after buying OpNet.
> so could you tell me the advantages of this method except saving 10 bytes
> (Ethernet is 14 bytes without the checksum)?
Not confusing people into thinking that they have an Ethernet capture with
meaningful source and destination addresses in the capture?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
