Wireshark-dev: [Wireshark-dev] The IPv6 value "24" in DLT_NULL causes Npcap's BPF filter not to
From: Yang Luo <[email protected]>
Date: Wed, 14 Sep 2016 13:03:54 +0800
Hi list,

We currently found an issue about the DLT_NULL (thanks to Dan): the pcap filters do not work for IPv6 traffic over Npcap Loopback Adapter (with DLT_NULL option enabled). If I specify a filter like "ip6" in Wireshark and capture on Npcap Loopback Adapter, it turns out that there won't be any packets captured, even if I ping localhost with "ping ::1". And installing Npcap with DLT_NULL option disabled or specifying a IPv4 related filter doesn't cause this issue.

We found this issue is caused by the IPv6's value in DLT_NULL. The current implementation of Npcap is using 24 (the same as OpenBSD, NetBSD, and BSD/OS) to represent IPv6 in DLT_NULL header. The following code is defined in Npcap's driver:

* Types in a DLT_NULL (Loopback) header.
#define DLTNULLTYPE_IP 0x00000002 /* IP protocol */
#define DLTNULLTYPE_IPV6 0x00000018 /* IPv6 */

What Npcap defined is currently consistent with Wireshark. Wireshark defines 3 values for DLT_NULL's IPv6 here:

/* Family values. */
static const value_string family_vals[] = {
  {BSD_AF_INET,          "IP"             },
  {BSD_AF_ISO,           "OSI"            },
  {BSD_AF_APPLETALK,     "Appletalk"      },
  {BSD_AF_IPX,           "Netware IPX/SPX"},
  {BSD_AF_INET6_BSD,     "IPv6"           },
  {BSD_AF_INET6_FREEBSD, "IPv6"           },
  {BSD_AF_INET6_DARWIN,  "IPv6"           },
  {0,                    NULL             }

But the problem is, libpcap  (which is used by Npcap) only supports the value 23 in the BPF filter code. (See: https://github.com/the-tcpdump-group/libpcap/blob/master/gencode.c#L3182-L3184). Another argument is in http://www.tcpdump.org/linktypes.html, it said that DLT_NULL should be:

BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet.

In WinSock2.h (Windows's socket.h), the PF_ value is defined as:

#define PF_INET6        AF_INET6

And AF_INET6 is defined in ws2def.h (in Windows SDK) as:

#define AF_INET6        23              // Internetwork Version 6

In fact, DLT_NULL has been already discussed in this list before here: http://seclists.org/wireshark/2015/Aug/160 when I added that feature to Windows. I just chose 24 at that time, but now it seems that 24 is problematic. We think the correct way to fix it is to let Wireshark recognizes 23 as DLT_NULL's IPv6 value on Windows. Because that's what Windows defined as PF_INET6 (and AF_INET6). However, unfortunately, it seems that Wireshark already defines other things as 23 here: https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/epan/aftypes.h#L43

#define BSD_AF_IPX 23

So I just don't know how to solve it. Any opinions?