Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Pascal Quantin <[email protected]>
Date: Mon, 24 Aug 2015 10:32:47 +0200

2015-08-24 10:28 GMT+02:00 Guy Harris <[email protected]>:

On Aug 24, 2015, at 1:19 AM, Pascal Quantin <[email protected]> wrote:

> any reason for not using NdisMediumLoopback that is defined since Vista according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx ? Maybe it would make sense to switch to DLT_LOOPBACK

You mean DLT_LOOP rather than DLT_LOOPBACK (that's what OpenBSD, which introduced DLT_LOOP, calls it).

Yeas that's what I meant. Sorry for the typo.

> in that case (in that case the packet type must be put in network order).

Yes, that's what's different about DLT_LOOP - the address family value is in network byte order rather than host byte order.

Note that, if all packets are IPv4 or IPv6 packets, you could also use NdisMediumIP, if that means "received and transmitted packets begin with an IP header and have no link-layer header", and map that to DLT_RAW.

Correct, but I was finding the NdisMediumLoopback type maybe more representative as there can be other interfaces using raw IP (liek MBIM USB class). At least with such DLT we have no doubt regarding the fact that it is a loopback capture :)