Hi Guy, I have looked at all occurrences of PCAP_IF_LOOPBACK in Npcap's wpcap.dll code at https://github.com/nmap/npcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK, it seems that this property is never effectively used inside wpcap.dll's code. In Wireshark's WinPcap official trunk, it is totally unused except some prints. See: https://github.com/wireshark/winpcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK. So currently PCAP_IF_LOOPBACK is never set in any pcap_if_t struct for WinPcap and Npcap.
And It seems to work fine without setting it. Where would Wireshark use this PCAP_IF_LOOPBACK for? I know Nmap does use IPHelper API to list the interfaces and get the loopback type, PCAP_IF_LOOPBACK appears in Nmap's code but it is used in other unimportant places. Cheers, Yang On Mon, Aug 24, 2015 at 4:46 PM, Guy Harris <g...@alum.mit.edu> wrote: > > On Aug 24, 2015, at 1:32 AM, Pascal Quantin <pascal.quan...@gmail.com> > wrote: > > > 2015-08-24 10:28 GMT+02:00 Guy Harris <g...@alum.mit.edu>: > > > >> Note that, if all packets are IPv4 or IPv6 packets, you could also use > NdisMediumIP, if that means "received and transmitted packets begin with an > IP header and have no link-layer header", and map that to DLT_RAW. > > > > Correct, but I was finding the NdisMediumLoopback type maybe more > representative as there can be other interfaces using raw IP (liek MBIM USB > class). At least with such DLT we have no doubt regarding the fact that it > is a loopback capture :) > > Using the LINKTYPE_/DLT_ value to determine *anything* other than the > format of the data at the beginning of the packet is an error. In > particular, using it to determine the interface type is an error. > > You might, for example, have: > > LINKTYPE_ETHERNET/DLT_EN10MB as the link-layer header type for > packets captured from an 802.11 interface that's not in monitor mode (and, > yes, the data at the beginning of the packet will be an Ethernet header); > > LINKTYPE_ETHERNET/DLT_EN10MB as the link-layer header type for > packets captured from a loopback device on Linux (and, yes, the data at the > beginning of the packet will be an Ethernet header); > > LINKTYPE_NULL/DLT_NULL as the link-layer header type for packets > captured from a loopback device on a BSD-flavord-but-not-OpenBSD system; > > LINKTYPE_LOOP/DLT_LOOP as the link-layer header type for packets > captured from a loopback device on OpenBSD; > > LINKTYPE_IPNET/DLT_IPNET as the link-layer header type for packets > captured from a loopback device on Solaris; > > etc.. > > If you want to know whether a device is a loopback device, check the > PCAP_IF_LOOPBACK flag in the flags member of the pcap_if_t structure > supplied for the device in a pcap_findalldevs() or pcap_findalldevs_ex() > call. > > And, yes, if Npcap isn't setting that flag for the loopback device, it > must be changed to do so. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
