I am a developer of WinPcap, a famous packet capturing and sending software under Windows. I have ported WinPcap to NDIS 6 Light-Weight Filter technique, but it still doesn't support loopback packets (such as packets sent to and received from 127.0.0.1) capturing because of Windows' nature: The loopback packets are handled directly in TCP/IP stack and don't go down to NDIS layer.
Someone told me that Windows Filtering Platform can see the loopback traffic, so I have done some research about it. I have several questions about this.
1) What are actually loopback packets? I mean the packets NDIS can't see? Like when I ping 127.0.0.1, these ICMP packets are definitely loopback ones. When I ping an address that a local network adapter has bound to (like 192.168.0.24), it is also loopback I think. Are these all conditions? If yes, then I can filter out which packets are loopback ones based on whether their local IPs are 127.0.0.1 or local adapter IPs (like 192.168.0.24).
2) I learnt that WFP has many layers, I think my requirement should use the "IP Packet (Network Layer)", I wonder that can WFP Network Layer captures all loopback packets inbound and outbound?
3) I don't know if the loopback packets captured by WFP will have an Ethernet header? If not, then I think I should manually add Ethernet header to the packet prefix before sending them to user mode, as WinPcap is an ethernet-level packet capture software and many software using WinPcap (like Wireshark) will by default parse the packets from Ethernet layer. However, I think I will let the whole Ethernet header to be all-0, as there's actually no Ethernet header in fact.
Thanks and appreciated for your help!
