Le 24 août 2015 12:19 PM, "Yang Luo" <[email protected]> a écrit : > > Hi Pascal, > > On Mon, Aug 24, 2015 at 4:19 PM, Pascal Quantin <[email protected]> wrote: >> >> >> >> Hi Yang, >> >> any reason for not using NdisMediumLoopback that is defined since Vista according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx ? Maybe it would make sense to switch to DLT_LOOPBACK in that case (in that case the packet type must be put in network order). > > > I knew there's a type named NdisMediumLoopback, MSDN said it "Specifies an NDIS loopback network.". I didn't use this value because I think NdisMediumLoopback provided by Microsoft doesn't mean what we understood it, like UNIX/Linux's loopback. In fact, NDIS never see or handle the loopback traffic, loopback packets like ICMP ones sent by "ping 127.0.0.1" never goes to NDIS layer. They are handled in TCP/IP stack (see http://stackoverflow.com/questions/18164876/is-it-possible-to-capture-localhost-packets-127-0-0-1-as-destination-in-ndis-l?rq=1). Npcap used dirty ways (WFP) to make this happen. So I think NdisMediumLoopback means something else that Microsoft wants it to mean, however I didn't find much information about it except MSDN explanation and didn't know what actually it is used for. > > Another reason is that the original WinPcap (wpcap.dll) doesn't support the mapping from NdisMediumLoopback to DLT_LOOP, but it has the mapping from NdisMediumNull to DLT_NULL. So there are two ways now: 1) NdisMediumNull - DLT_NULL way, 2) NdisMediumLoopback - DLT_LOOP way, will there be a third way like 3) NdisMediumLoopback - DLT_NULL? I didn't see any necessary connections between NdisMediumLoopback and DLT_LOOP except the shared word "loop"?
Thanks for the clarification. I did not find any NdisMediumNull definition in ntddndis.h file (I assume this is something you defined locally for convenience), that's why I suggested the NdisMediumLoopback value without double checking its exact meaning. > >> >> Note that Wireshark would still display the raw value: I'm gonna update the array. >> Any reason for not making the NULL/loopback mode default instead of the fake ethernet header? > > > I didn't make it default because Nmap (and Nping) doesn't work under DLT_NULL mode. I think I have tried possble modifications, see: http://seclists.org/nmap-dev/2015/q3/209 for details. > I had a rough analysis and found that at least Nping lacks the code to handle the DLT_NULL traffic. It seems to just view the received response as an Ethernet packet. And I doubt whether other tools like NetScanTools can handle this right. > > Cheers, > yang > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
