Wireshark mailing list archives
The IPv6 value "24" in DLT_NULL causes Npcap's BPF filter not to work for IPv6 loopback packets.
From: Yang Luo <hsluoyb () gmail com>
Date: Wed, 14 Sep 2016 13:03:54 +0800
Hi list, We currently found an issue about the DLT_NULL (thanks to Dan): the pcap filters do not work for IPv6 traffic over Npcap Loopback Adapter (with DLT_NULL option enabled). If I specify a filter like "ip6" in Wireshark and capture on Npcap Loopback Adapter, it turns out that there won't be any packets captured, even if I ping localhost with "ping ::1". And installing Npcap with DLT_NULL option disabled or specifying a IPv4 related filter doesn't cause this issue. We found this issue is caused by the IPv6's value in DLT_NULL. The current implementation of Npcap is using 24 (the same as OpenBSD, NetBSD, and BSD/OS) to represent IPv6 in DLT_NULL header. The following code is defined in Npcap's driver: /* * Types in a DLT_NULL (Loopback) header. */ #define DLTNULLTYPE_IP 0x00000002 /* IP protocol */ #define DLTNULLTYPE_IPV6 0x00000018 /* IPv6 */ What Npcap defined is currently consistent with Wireshark. Wireshark defines 3 values for DLT_NULL's IPv6 here: https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/epan/dissectors/packet-null.c#L53-L63 /* Family values. */ static const value_string family_vals[] = { {BSD_AF_INET, "IP" }, {BSD_AF_ISO, "OSI" }, {BSD_AF_APPLETALK, "Appletalk" }, {BSD_AF_IPX, "Netware IPX/SPX"}, {BSD_AF_INET6_BSD, "IPv6" }, {BSD_AF_INET6_FREEBSD, "IPv6" }, {BSD_AF_INET6_DARWIN, "IPv6" }, {0, NULL } }; But the problem is, libpcap (which is used by Npcap) only supports the value 23 in the BPF filter code. (See: https://github.com/the-tcpdump-group/libpcap/blob/master/gencode.c#L3182-L3184 ). Another argument is in http://www.tcpdump.org/linktypes.html, it said that DLT_NULL should be: *BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet.* In WinSock2.h (Windows's socket.h), the PF_ value is defined as: #define PF_INET6 AF_INET6 And AF_INET6 is defined in ws2def.h (in Windows SDK) as: #define AF_INET6 23 // Internetwork Version 6 In fact, DLT_NULL has been already discussed in this list before here: http://seclists.org/wireshark/2015/Aug/160 when I added that feature to Windows. I just chose 24 at that time, but now it seems that 24 is problematic. We think the correct way to fix it is to let Wireshark recognizes 23 as DLT_NULL's IPv6 value on Windows. Because that's what Windows defined as PF_INET6 (and AF_INET6). However, unfortunately, it seems that Wireshark already defines other things as 23 here: https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/epan/aftypes.h#L43 #define BSD_AF_IPX 23 So I just don't know how to solve it. Any opinions? Cheers, Yang
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- The IPv6 value "24" in DLT_NULL causes Npcap's BPF filter not to work for IPv6 loopback packets. Yang Luo (Sep 13)
- Re: The IPv6 value "24" in DLT_NULL causes Npcap's BPF filter not to work for IPv6 loopback packets. Guy Harris (Sep 14)