I am developing an NDIS 6 filter driver of Win7 and Win8 for WinPcap and Nmap. As you know, Nmap is a network scanner. A requirement of Nmap is to capture localhost packets like "ping 127.0.0.1", so that Nmap can test the local machine itself, too. However, it seems that the localhost packets will just return in the TCP/IP stack and never comes to the NDIS layer. Is there any way to resolve this issue? Like adding a loopback adapter or what? Thanks.
Asked
Active
Viewed 861 times
2 Answers
2
You'll need a WFP callout to capture layer-3 loopback packets. TCPIP has a fast-path for loopback that never reaches layer-2 in NDIS.
Jeffrey Tippet
- 3,146
- 1
- 14
- 15
-
As far as know, a WFP callout cannot handle pure layer-2 packets like ARP because it is not TCP/IP. And a filter driver is necessary for capturing pure layer-2 packets like ARP. Here's a question. Is it possible to integrate NDIS filter driver and WFP callout into one driver (like npf.sys)? NDIS filter driver captures the non-loopback packets and WFP callout captures the loopback ones. – hsluoyz Aug 12 '13 at 03:10
-
Both a WFP callout and an NDIS LWF can sit inside the same driver binary. They wouldn't share much between the WFP and NDIS edges. It'd really be two separate drivers packaged together. If you want to see both layer-2 and layer-3 stuff, this is probably necessary. (Note the WFP does provide a few layer-2 options, but that's limited to Windows 8+, so is unlikely to meet your cross-platform needs). – Jeffrey Tippet Aug 12 '13 at 06:42
1
You can capture localhost (127.0.0.1) traffic in Windows by using raw sockets. There is a great tool called RawCap that sniffs localhost and saves the captured packets in the PCAP format. http://www.netresec.com/?page=RawCap
Erik
- 400
- 1
- 2
- 6