Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test
From: Yang Luo <[email protected]>
Date: Tue, 25 Aug 2015 14:19:53 +0800

Npcap 0.04 r7 is released.

1) One change is that PCAP_IF_LOOPBACK is set for "Npcap Loopback Adapter" in DLT_NULL mode in Npcap 0.04 r7. So if you install Npcap with DLT_NULL mode checked, you can see "Npcap Loopback Adapter" is listed in the last row of Wireshark UI.

2) Another change is that I have included the 802.1Q VLAN capture support provided by Nobori's Win10Pcap. You will see the "VLAN Support" option in the installation and it's checked by default. I didn't test it because I didn't have a network that can send me VLAN tagged traffic, hope any test about this feature or any ideas about how to test it.

Latest installer is at:


On Tue, Aug 25, 2015 at 1:12 AM, Guy Harris <[email protected]> wrote:

On Aug 24, 2015, at 6:08 AM, Yang Luo <[email protected]> wrote:

> I have looked at all occurrences of PCAP_IF_LOOPBACK in Npcap's wpcap.dll code at https://github.com/nmap/npcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK, it seems that this property is never effectively used inside wpcap.dll's code.

In fad-win32.c, pcap_add_if_win32() is used by pcap_findalldevs(), and pcap_add_if_win32() calls add_or_find_if() in inet.c, and add_or_find_if() uses PCAP_IF_LOOPBACK.

That shows up in the GitHub search done with the URL you specify.

> In Wireshark's WinPcap official trunk, it is totally unused except some prints. See: https://github.com/wireshark/winpcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK.

That's because Wireshark's WinPcap official trunk only includes the WinPcap driver, the WinPcap packet.dll DLL, and the WinPcap routines that aren't already part of the official libpcap source - fad-win32.c and inet.c are both part of the official libpcap source:



> So currently PCAP_IF_LOOPBACK is never set in any pcap_if_t struct for WinPcap and Npcap.

That should be fixed.

> And It seems to work fine without setting it. Where would Wireshark use this PCAP_IF_LOOPBACK  for?

1) WinPcap *itself* uses it to ensure that loopback interfaces sort after non-loopback interfaces, so that if a machine has both "real" and loopback interfaces active, the default interface won't end up being a loopback interface;

2) Wireshark uses it to flag interfaces as being loopback interfaces in some places (see the uses of the "loopback" flag in the if_info_t structure).
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-reque[email protected]?subject=unsubscribe