Wireshark-dev: Re: [Wireshark-dev] Question about changing Npcap loopback interface's MTU to 65
From: Pascal Quantin <[email protected]>
Date: Fri, 21 Aug 2015 15:20:26 +0200
Hi Yang,

2015-08-21 14:46 GMT+02:00 Yang Luo <[email protected]>:
Hi list,

I have updated Npcap to 0.04-r4. This version modified "Npcap Loopback Adapter"'s MTU to 65536, so the maximum packet size is 65550 (65536 + eth_hdr_size).

But I found weird result in Wireshark's "Interface Details" dialog.

1) Npcap Loopback Adapter:
Transmit Buffer Space 1514
Receive Buffer Space 1514
Transmit Block Size 1
Receive Block Size 1
Maximum Packet Size 65550

Another Ethernet interface's result is normal:
2) Ethernet0:
Transmit Buffer Space 1550336
Receive Buffer Space 779264
Transmit Block Size 1514
Receive Block Size 1514
Maximum Packet Size 1514

In Linux, Wireshark doesn't have an "Interface Details" dialog, so I can't know what the expected result should be for a loopback interface. So I'd like to know what these numbers are and is the result of Npcap Loopback Adapter correct? It doesn't seem to affect the capture result.

The latest installer is at:

From what I can see in the source code ( https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=ui/gtk/capture_if_details_dlg_win32.c;h=76b264646c8cc5eaf1ead6c388d869caed3ccf2f;hb=refs/heads/master ) the info is populated by calling the following Winpcap interfaces:
wpcap_packet_request_uint(adapter, OID_GEN_TRANSMIT_BUFFER_SPACE, &uint_value)
wpcap_packet_request_uint(adapter, OID_GEN_RECEIVE_BUFFER_SPACE, &uint_value)
wpcap_packet_request_uint(adapter, OID_GEN_TRANSMIT_BLOCK_SIZE , &uint_value)
wpcap_packet_request_uint(adapter, OID_GEN_RECEIVE_BLOCK_SIZE, &uint_value)
wpcap_packet_request_uint is a wrapper on top of wpcap_packet_request which is defined here: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture_wpcap_packet.c;h=5b3ffc479d3f4cfb0bfc78eb6ec0a820c39f2f9e;hb=refs/heads/master
From what I can see, it seems to be only used for this dialog.
Note that the NDIS version also seems suspicious (it's reporting 5).