Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Guy Harris <[email protected]>
Date: Mon, 24 Aug 2015 10:12:40 -0700
On Aug 24, 2015, at 6:08 AM, Yang Luo <[email protected]> wrote:

> I have looked at all occurrences of PCAP_IF_LOOPBACK in Npcap's wpcap.dll code at https://github.com/nmap/npcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK, it seems that this property is never effectively used inside wpcap.dll's code.

In fad-win32.c, pcap_add_if_win32() is used by pcap_findalldevs(), and pcap_add_if_win32() calls add_or_find_if() in inet.c, and add_or_find_if() uses PCAP_IF_LOOPBACK.

That shows up in the GitHub search done with the URL you specify.

> In Wireshark's WinPcap official trunk, it is totally unused except some prints. See: https://github.com/wireshark/winpcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK.

That's because Wireshark's WinPcap official trunk only includes the WinPcap driver, the WinPcap packet.dll DLL, and the WinPcap routines that aren't already part of the official libpcap source - fad-win32.c and inet.c are both part of the official libpcap source:



> So currently PCAP_IF_LOOPBACK is never set in any pcap_if_t struct for WinPcap and Npcap.

That should be fixed.

> And It seems to work fine without setting it. Where would Wireshark use this PCAP_IF_LOOPBACK  for?

1) WinPcap *itself* uses it to ensure that loopback interfaces sort after non-loopback interfaces, so that if a machine has both "real" and loopback interfaces active, the default interface won't end up being a loopback interface;

2) Wireshark uses it to flag interfaces as being loopback interfaces in some places (see the uses of the "loopback" flag in the if_info_t structure).