Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Yang Luo <[email protected]>
Date: Wed, 19 Aug 2015 12:50:46 +0800
Hi Jim,

Current fake Ethernet encapsulation of Npcap refers to the Linux implementation (actually is Ubuntu, as I am only familiar with it for a Linux system). I don't own a OS X computer now so I can't test or use it. One question is is NULL/Loopback encapsulation a widespread protocol standard like Ethernet? Also What I am worried about is that is NULL/Loopback encapsulation type compatible with other softwares? Like Nmap, NetScanTools, etc. I don't know if they have a smart dissector like packet-null.c in Wireshark to tell it's a loopback packet coming.

Moreover, I found a link: https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion. It seems that some softwares did have problem with NULL/Loopback encapsulation, so could you tell me the advantages of this method except saving 10 bytes (Ethernet is 14 bytes without the checksum)? Thanks.

Cheers,
Yang


On Wed, Aug 19, 2015 at 1:45 AM, Guy Harris <[email protected]> wrote:

On Aug 18, 2015, at 9:22 AM, Jim Young <[email protected]> wrote:

> Instead of supplying an ethernet header with the mac addresses of all zeros, would it make more sense to supply a NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface?

It looks as if the loopback interface supplies only IPv4 and IPv6 packets.

In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.

For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP datagram.  For DLT_NULL, the 4-byte header is in the byte order of the host on which the capture is being done; for DLT_LOOP, it's in network byte order.  The value is 2 for IPv4 and, for IPv6:

        24 for OpenBSD, NetBSD, and BSD/OS;
        28 for FreeBSD;
        30 for OS X and iOS;
        10 for Linux;
        26 for Solaris;
        23 for Windows;

because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't define AF_INET6, so everybody ran off and defined it differently.

For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet looks at the version number in the IP header to determine whether it's IPv4 or IPv6.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe