Re: [Wireshark-dev] Npcap 0.04 call for test

Mon, 24 Aug 2015 01:47:42 -0700 

On Aug 24, 2015, at 1:32 AM, Pascal Quantin <pascal.quan...@gmail.com> wrote:

> 2015-08-24 10:28 GMT+02:00 Guy Harris <g...@alum.mit.edu>:
> 
>> Note that, if all packets are IPv4 or IPv6 packets, you could also use 
>> NdisMediumIP, if that means "received and transmitted packets begin with an 
>> IP header and have no link-layer header", and map that to DLT_RAW.
> 
> Correct, but I was finding the NdisMediumLoopback type maybe more 
> representative as there can be other interfaces using raw IP (liek MBIM USB 
> class). At least with such DLT we have no doubt regarding the fact that it is 
> a loopback capture :)

Using the LINKTYPE_/DLT_ value to determine *anything* other than the format of 
the data at the beginning of the packet is an error.  In particular, using it 
to determine the interface type is an error.

You might, for example, have:

        LINKTYPE_ETHERNET/DLT_EN10MB as the link-layer header type for packets 
captured from an 802.11 interface that's not in monitor mode (and, yes, the 
data at the beginning of the packet will be an Ethernet header);

        LINKTYPE_ETHERNET/DLT_EN10MB as the link-layer header type for packets 
captured from a loopback device on Linux (and, yes, the data at the beginning 
of the packet will be an Ethernet header);

        LINKTYPE_NULL/DLT_NULL as the link-layer header type for packets 
captured from a loopback device on a BSD-flavord-but-not-OpenBSD system;

        LINKTYPE_LOOP/DLT_LOOP as the link-layer header type for packets 
captured from a loopback device on OpenBSD;

        LINKTYPE_IPNET/DLT_IPNET as the link-layer header type for packets 
captured from a loopback device on Solaris;

etc..

If you want to know whether a device is a loopback device, check the 
PCAP_IF_LOOPBACK flag in the flags member of the pcap_if_t structure supplied 
for the device in a pcap_findalldevs() or pcap_findalldevs_ex() call.

And, yes, if Npcap isn't setting that flag for the loopback device, it must be 
changed to do so.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to