Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Yang Luo <[email protected]>
Date: Wed, 19 Aug 2015 12:50:46 +0800
Hi Jim,

Current fake Ethernet encapsulation of Npcap refers to the Linux implementation (actually is Ubuntu, as I am only familiar with it for a Linux system). I don't own a OS X computer now so I can't test or use it. One question is is NULL/Loopback encapsulation a widespread protocol standard like Ethernet? Also What I am worried about is that is NULL/Loopback encapsulation type compatible with other softwares? Like Nmap, NetScanTools, etc. I don't know if they have a smart dissector like packet-null.c in Wireshark to tell it's a loopback packet coming.

Moreover, I found a link: https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion. It seems that some softwares did have problem with NULL/Loopback encapsulation, so could you tell me the advantages of this method except saving 10 bytes (Ethernet is 14 bytes without the checksum)? Thanks.


On Wed, Aug 19, 2015 at 1:45 AM, Guy Harris <[email protected]> wrote:

On Aug 18, 2015, at 9:22 AM, Jim Young <[email protected]> wrote:

> Instead of supplying an ethernet header with the mac addresses of all zeros, would it make more sense to supply a NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface?

It looks as if the loopback interface supplies only IPv4 and IPv6 packets.

In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.

For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP datagram.  For DLT_NULL, the 4-byte header is in the byte order of the host on which the capture is being done; for DLT_LOOP, it's in network byte order.  The value is 2 for IPv4 and, for IPv6:

        24 for OpenBSD, NetBSD, and BSD/OS;
        28 for FreeBSD;
        30 for OS X and iOS;
        10 for Linux;
        26 for Solaris;
        23 for Windows;

because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't define AF_INET6, so everybody ran off and defined it differently.

For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet looks at the version number in the IP header to determine whether it's IPv4 or IPv6.
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe