Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Guy Harris <[email protected]>
Date: Tue, 18 Aug 2015 23:33:51 -0700
On Aug 18, 2015, at 9:50 PM, Yang Luo <[email protected]> wrote:

> Current fake Ethernet encapsulation of Npcap refers to the Linux implementation (actually is Ubuntu, as I am only familiar with it for a Linux system). I don't own a OS X computer now so I can't test or use it. One question is is NULL/Loopback encapsulation a widespread protocol standard like Ethernet?

DLT_NULL is not a published standard, but it's used for loopback devices on

	1) the most common desktop UNIX (no, it's not anything Linux-based, it's BSD-flavored)

and

	2) the second most common smartphone/tablet UN*X

as well as on FreeBSD, NetBSD, and DragonFly BSD.  DLT_LOOP is used on OpenBSD.

A program that can't handle DLT_NULL or DLT_LOOP *cannot* handle loopback device captures from any of those OSes.

> Also What I am worried about is that is NULL/Loopback encapsulation type compatible with other softwares? Like Nmap, NetScanTools, etc. I don't know if they have a smart dissector like packet-null.c in Wireshark to tell it's a loopback packet coming.

There's nothing "smart" needed - Wireshark's just working around some screwups in some OSes that mistakenly use DLT_NULL for things that didn't have a DLT_NULL link-layer header.  All a program needs to do is catch DLT_NULL and DLT_LOOP, fetch the 4-byte header, and compare it against 2 for IPv4 and against various values for IPv6.

Tcpdump had support for it before Wireshark even *existed*, even under the name Ethereal.  Look at null_if_print() in print-null.c in the tcpdump source - it doesn't bother with the "smart" stuff.

Nmap handles it, except for libnetutil/netutil.cc, which doesn't handle *anything* other than DLT_EN10MB and DLT_LINUX_SLL - that code can't handle PPP on anything other than Linux (and that only because Linux doesn't, or at least didn't, bother to supply a useful link-layer header for PPP, so libpcap falls back on cooked mode so it can get *some* packet information).

NetScanTools - unknown, but, as they're Windows-only and use WinPcap, they might not bother handling DLT_NULL/DLT_LOOP, as WinPcap hasn't supplied them.  The "Packet Capture Tool" can save a pcap file and presumably can read a saved file:

	http://www.netscantools.com/nstpro_packet_capture.html

"Saving the capture or a specific packet is fully supported and you can reload a capture later for future analysis."

but if all they support is reading files saved from the "Packet Capture Tool", they might not support any DLT_/LINKTYPE_ values that you don't get from WinPcap.

> Moreover, I found a link: https://ask.wireshark.org/questions/7849/null-loopback-link-encapsulation-conversion. It seems that some softwares did have problem with NULL/Loopback encapsulation,

Yeah, another tool that didn't bother with DLT_NULL/DLT_LOOP.  Perhaps Riverbed fixed that after buying OpNet.

> so could you tell me the advantages of this method except saving 10 bytes (Ethernet is 14 bytes without the checksum)?

Not confusing people into thinking that they have an Ethernet capture with meaningful source and destination addresses in the capture?