Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Npcap: pcap_sendpacket() Incompatible behavior with WinPcap #117

Closed
markpizz opened this issue Feb 19, 2020 · 2 comments
Closed

Npcap: pcap_sendpacket() Incompatible behavior with WinPcap #117

markpizz opened this issue Feb 19, 2020 · 2 comments

Comments

@markpizz
Copy link

We have identified a feature that works with WinPcap 4.1.3 that doesn't work with Npcap. This 'feature' or lack thereof, has to do with the host system's network stack being able to receive packets that are sent via pcap_sendpacket().

Our normal application sends Ethernet frames on a pcap connection opened on the host LAN interface. These packets with unique source MAC addresses (unique from the host's interface MAC address) make it readily on to the LAN using either WinPcap or Npcap. With WinPcap packets sent using pcap_sendpacket() to the host interface's MAC address are received by the host network stack. With Npcap these very same packets sent to the host's MAC (or broadcast address) aren't received by the host system's network stack.

An interesting observation: Using BOTH Npcap and WinPcap, Packets sent via pcap_sendpacket are visible in other concurrent pcap sessions on the same machine connected to the same interface.

I'm real sure that I confirmed that our expected functionality was working back in the 2016 timeframe when I was interacting with Yang during his development of Npcap. I may not have actually tested this since his early installers were somewhat unstable and had the potential to mess up the system's network setup. To avoid any danger to my development system, I did most of my testing in one of several VMs.

Current environment is Windows 10 1909 x64 and all recent versions of Npcap and WinPcap 4.1.3.

I'm attaching a test program that demonstrates this failure.

The test program will compile with Visual C or MinGW. It's only external dependency is an directory containing the Npcap/WinPcap pcap.h include file(s).

The test program sends Uses Source MAC Address of 2:3:4:5:6:7 and 2 types of packets once per second:

  1. Packets with protocol type 0x9001 to the broadcast MAC address the payload in the packet contains a text timestamp and the PID of the sending process.

  2. A ARP request packet. The ARP requests is unicast to the host system's MAC address asking for the Host Host system's IP address. The ARP request can optionally be sent to an address on the interface's LAN to consistently observe LAN interactions.

The program takes a single argument which is the name of the interface to open with pcap. If it is invoked without any arguments the list of host system interfaces is displayed. An alternate address to request an ARP response from can be specified by invoking the program with -arp {lan-system-ip-address} as command line arguments.

A thread is created to listen for traffic. Traffic is listening with a capture filter of "ether host 2:3:4:5:6:7". This will capture all traffic this program generates as well as any ARP responses. If another instance of this program is run concurrently, it will send the same messages differing only by the payload PID in the 0x9001 packets. Received packets are displayed as they arrive.

If WinPcap is installed (without Npcap), the output will include ARP reply packets that the host system's network stack generates. If Npcap is installed, only the transmitted packets will be returned. No ARP responses from the host system's network stack.

Example Output:

ARP of a system on the LAN that interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe -arp 192.168.60.6 \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: Npcap version 0.9987, based on libpcap version 1.9.1
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 21136
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 21136 at 02/18/20 15:11:47
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 21136 at 02/18/20 15:11:48
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
^C

ARP of a the host system's IP address using interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe  \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: Npcap version 0.9987, based on libpcap version 1.9.1
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 252
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:19
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:20
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:21
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 252 at 02/18/20 15:12:22
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
^C

Uninstall Npcap and install WinPcap and run the same tests:

ARP of a system on the LAN that interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe -arp 192.168.60.6 \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 16608
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:38
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:39
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:40
64 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.6
60 byte packet received -DST: 02:03:04:05:06:07 - SRC: 18:E7:28:61:2D:28 - Proto: 0806 - ARP
Message: ARP Reply sha-18:E7:28:61:2D:28 spa-192.168.60.6 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 16608 at 02/18/20 15:19:41
^C

ARP of a the host system's IP address using interface \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB} is attached to:

C:\NpcapTest>.\NpcapTest.exe  \Device\NPF_{C7A5BBA7-59DD-4B27-B5A9-BD83645D34EB}
Using: WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
Interface MAC Address: 2C:FD:A1:BF:53:97
Interface IP Address: 192.168.60.46
Current PID: 10296
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 10296 at 02/18/20 15:19:29
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
42 byte packet received -DST: 02:03:04:05:06:07 - SRC: 2C:FD:A1:BF:53:97 - Proto: 0806 - ARP
Message: ARP Reply sha-2C:FD:A1:BF:53:97 spa-192.168.60.46 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 10296 at 02/18/20 15:19:30
64 byte packet received -DST: 2C:FD:A1:BF:53:97 - SRC: 02:03:04:05:06:07 - Proto: 0806 - ARP
Message: ARP Request sha-02:03:04:05:06:07 spa-0.0.0.0 tha-00:00:00:00:00:00 tpa-192.168.60.46
42 byte packet received -DST: 02:03:04:05:06:07 - SRC: 2C:FD:A1:BF:53:97 - Proto: 0806 - ARP
Message: ARP Reply sha-2C:FD:A1:BF:53:97 spa-192.168.60.46 tha-02:03:04:05:06:07 tpa-0.0.0.0
1024 byte packet received -DST: FF:FF:FF:FF:FF:FF - SRC: 02:03:04:05:06:07 - Proto: 9001
Message: From PID: 10296 at 02/18/20 15:19:31
^C

NpcapTest.zip
@dmiller-nmap
Copy link
Contributor

Thanks for this very detailed report. We are tracking this issue at #116, so I am closing this as a duplicate. Please note the workaround there of using the SendToRx feature. We are working on a solution to this issue as well.

markpizz referenced this issue in simh/simh Feb 19, 2020
@markpizz
ETHER: Report Windows Npcap as unsupported in the Ethernet version st…
721e2f4 
…ring

Current versions of Npcap can talk directly to the host system's network
stack.  This defect was just discovered.  Fortunately, WinPcap 4.1.3 works
as needed and is still functional on Windows 10.

As discussed in nmap/nmap#1929 and nmap/nmap#1343
markpizz referenced this issue in simh/simh Feb 23, 2020
@markpizz
ETHER: Update preferred Windows packet capture to be WinPcap
1725ed2 
- Npcap is not currently a superset of WinPcap.  Specifically it doesn't
  allow traffic from simulators to the host system to be received by the
  host system network stack.

As discussed in nmap/nmap#1929 and nmap/nmap#1343
@dmiller-nmap
Copy link
Contributor

dmiller-nmap commented Apr 6, 2020
edited

Npcap 0.9990, released on Friday, should correct this behavior. We recommend that code relying on loopback of injected packets explicitly call PacketSetLoopbackBehavior(NPF_ENABLE_LOOPBACK) in case the default should change in a future release.

EDIT: The constant is NPF_ENABLE_LOOPBACK, not PACKET_ENABLE_LOOPBACK as I had written earlier. Sorry for the confusion.

markpizz referenced this issue in simh/simh Apr 11, 2020
@markpizz
ETHER: Restore support fir Windows Npcap as Ethernet packet API
07c274a 
Version of Npcap 0.9990 restores full WinPcap functionality

As discussed in nmap/nmap#1929 and nmap/nmap#1343
@fyodor fyodor transferred this issue from nmap/nmap May 20, 2020
@fyodor fyodor mentioned this issue May 20, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markpizz @dmiller-nmap