Loopback capture setup
The following will explain capturing on loopback interfaces a bit.
If you are trying to capture traffic from a machine to itself, that traffic will not be sent over a real network interface, even if it’s being sent to an address on one of the machine’s network adapters. This means that you will not see it if you are trying to capture on, for example, the interface device for the adapter to which the destination address is assigned. You will only see it if you capture on the «loopback interface», if there is such an interface and it is possible to capture on it; see the next section for information on the platforms on which you can capture on the «loopback interface».
Supported Platforms
See CaptureSetup/NetworkMedia for Wireshark capturing support on various platforms. Summary: you can capture on the loopback interface on Linux, on various BSDs including macOS, and on Digital/Tru64 UNIX, and you might be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX, or Windows without Npcap.
Windows
Starting from Windows 7: Npcap
Npcap is an update of WinPcap using NDIS 6 Light-Weight Filter (LWF), done by Yang Luo for Nmap project during Google Summer of Code 2013 and 2015. Npcap adds several new features to those existing in WinPcap, including loopback traffic capture.
In the list of capture interfaces, select «Adapter for loopback traffic capture» and begin capturing as usual. The data link type for this adapter is DLT_NULL .
Earlier releases of Npcap (before 0.9983) installed a software network adapter called «Npcap Loopback Adapter» for this purpose. This is no longer necessary, and can disrupt network operations in some cases. If it is present in a more recent installation, it can be removed by running (as Administrator) NPFInstall.exe -ul from the Npcap installation directory (usually C:\\Program Files\\Npcap ). Check Device Manager ( devmgmt.msc ) to ensure the adapter itself has been uninstalled.
The current latest installer can be found here: https://npcap.com/#download, the source code can be found here: https://github.com/nmap/npcap
Starting from Wireshark 3.0.0, the Windows installer includes and will install a recent version of Npcap.
IP 127.0.0.1
You can’t capture on the local loopback address 127.0.0.1 with WinPcap. The following page from «Windows network services internals» explains why: The missing network loopback interface.
You can, however, use Npcap or a raw socket sniffer like RawCap to capture localhost network traffic in Windows. Read more here:
IP other
You can add a virtual network card called Microsoft Loopback Adapter, but in most cases that might not give results as expected either.
This adapter is available from Microsoft:
… and is quite different than the ones available for various UN*X systems. This adapter is a virtual network adapter you can add, but it will not work on the 127.0.0.1 IP addresses; it will take its own IP address. BTW: You can only add one Loopback Adapter to the system!
Beware: Capturing from this Loopback Adapter requires the WinPcap 3.1 release, 3.1 beta versions won’t work!
Let’s suppose you have set the IP address of the loopback adapter to 10.0.0.10 and are capturing on that interface. If you ping to this 10.0.0.10 address the ping will get ping replies, but you won’t see any of this traffic in Wireshark (much like the 127.0.0.1 problem). If you ping on 10.0.0.11, you won’t get ping replies as there is obviously no remote host, but you will see the corresponding ARP requests in Wireshark.
The only benefit I can see so far is if you use it with colinux (and probably other PC virtualization software) to capture the traffic between Windows and the virtual machine. — UlfLamping
Recipe (to capture traffic on ms loopback adapter / Windows XP): — by mitra
I am now using the loopback adapter to capture traffic that I source into a Dyanmips/Dynagen virtual router network. This is a potentially very useful tool/feature that I will be testing further in the weeks to come. As it stands, I can connect my loopback adapter to a virtual router interface and capture ping, arp, etc. In the near future, I hope to tie a server w/ a loopback adapter to a virtual router and then capture a full client/server type of exchange across a Dynamips/Dynagen emulated network. – Scott Vermillion
NOTE: To get to the Microsoft Loopback Adapter Properties: Start -> Settings -> Control Panel -> System -> Device Manager -> Network Adapters and right click Microsoft Loopback Adapter to select Properties. – saran
Commercial Alternatives
A commercial network sniffer called CommView (from TamoSoft) allows you to capture packets on the localhost network adapter but it dissects fewer protocols, so you can capture packets with CommView and save them into a file and open it with Wireshark.
Other Alternatives
- Add a route to your local machine going through the network gateway:
with <your_IP> being different from 127.0.0.1. It should (has to) be the result of ipconfig command (ip address field) <the_gateway> has to be the default gateway field taken from ipconfig /all result.
Doing so, every network traffic from your machine to itself will use the physical network interface, it will then go to the gateway, back to you. Therefor, you will see each packet twice, but it can be filtered on the view.
Be careful, since your machine will use the actual network to talk to itself, it may overload the network. It may be wise to remove the new route once you are done with the tests:
- Proxocket — A Winsock Proxy Sniffer Written by Luigi Auriemma, this great tool appears to be a Layered Service Provider that can be used to capture calls between an application and the Winsock functions in Windows. By doing this, one is able to effectively capture loopback traffic on a per-process basis.
My own experience with proxocket is as follows: After installing the ws2_32.dll from proxocket into a directory containing 3 binaries that communicate with each other over the loopback interface and starting them all up, it generated 3 separate capture files, one for each process, which I was then able to merge together into a single capture file using mergecap. After filtering out the duplicate packets in the file, which contained the source IP address of 0.0.0.0, I had a pretty good capture file containing loopback traffic on Windows. Some packets were clearly ordered incorrectly, but it was easy enough for me to spot them and tell what was going on.
While certainly not as good/easy as capturing loopback traffic on a *NIX platform, prior to using RawCap, this was the best way for me to obtain loopback traffic on Windows. Having said that, after using RawCap, I don’t see why anyone would want to use this.
Setup localhost capturing from powershell
Recipes and explanation is here. (Note: Since the link no longer appears to work, here is an archived one.)
What Is Npcap Loopback Adapter Used For? (Explained)
Npcap is the project sniffing and sending library for Windows. If you have a thing for the networking and using the Microsoft Windows for that purpose, then you should definitely have seen this term appear on your PC more than once.
It is based on the WinPcap library but have some fundamental improvements that make it better choice for have if you are after Speed, Portability and the security on your network. If you are looking for what it might be used for, it is imperative that you understand what Npcap Loopback adapter is and how it works. This way, you can classify the applications in a better manner.
What Is Npcap Loopback Adapter Used For?
Npcap is the best thing that you can get as it is able to sniff loopback packets. These loopback packets are about the transmission between the services on the same machine. That means, if you are using different services or applications on the same computer or the PC, they might be interacting with each other as well. These data packets that are being sent or received are covered on the Windows Filtering Platform. After you have it installed, Npcap will create an adapter on your PC settings and it will be shown as Npcap Loopback Adapter.
Keeping an eye on the traffic
Npcap adapter will allow you to keep a close eye on the traffic that is domestic and inter-services as some adapters on the external traffic allow. This way, you will be able to check if there is some sort of virus or unauthorize access on the connection and the network that you are using.
There might be some services that can cause you to have problems if there are issues with them. This is simply the optimal way to keep an eye on the inter-services communications as well as making sure that the network is optimized the right way as it should be.
Extra Layer of Security
Npcap is one of the best things to have on your PCs if you are concerned about the network security. It allows Administrators only to sniff the packets that are being transferred over the network. This way, other users with the credentials will also not be able to sniff any packets and have access to the communication that is being done on the inter-services part. This extra layer of security can be disabled or enabled according to your choice.
Commercial Usage
There are also some commercial applications that these Npcap might being used for. Microsoft is offering a special version of Npcap with enterprise features with commercial features and a lot more on it.
This can help all the commercial users to have license rights allowing customers to redistribute Npcap with their products as well. In addition to all that, the enterprise features allow them to install commercial support and other installations. This way, whole commercial network for up to 5 PCs are secure and they are going to help you out in securing the servers overall for all sorts of commercial applications.
What is the purpose of the Microsoft Loopback Adapter?
Just as the question says, what is the Microsoft Loopback Adapter, and as a bonus, what scenerios as a developer would it be useful? I’ve noticed it’s been required when installing a couple of applications to my machine, but aside from guessing, I’ve never have had a sturdy understanding of it’s functionality.
I’ve read a couple of articles online, but nothing really made me «get it». While I don’t need a hugely complex answer, a little explaination would be very useful.
6 Answers 6
When sending messages to 127.0.0.1 (or the localhost) the internal network driver typically handles this by shortcutting a few steps.
If you have a networksniffer/protocol analyzer like wireshark, it can not see these shortcutted packets.
By using a loopback adapter, the messages get send much further through the stack, enabling programs like wireshark to capture the packets (and enabling you to analyze the packets)
Well, the best answer I can give you is a few links. http://en.wikipedia.org/wiki/Loopback The key sentence here is
«Any traffic that a computer program sends to the loopback interface is immediately received on the same interface.»
Basically, it’s a fake network interface, useful for tests and stability. In practice, most likely something you’ll never have to worry about (or you’d already know about it!)
Here’s an explanation that might be a bit easier to understand — one I’m working on at the moment.
We (a Bank) are pretty damn secure, as you would expect. One of our third party vendors requires the POS java app that we have to use connect to a 172.x.x.x address. Well, that’s not routable.
So we have loopback adapters, one for each of their 172.x.x.x addresses, with the address we will allow as the IP. We then use the «netsh» command to redirect traffic.
So any traffic that access, for example, 172.1.1.1 will get intercepted by Loopback Adapter #1 and redirected to 10.2.2.2. The pain is having one adapter per address.
Hope that makes it a little clearer.
Some software requires some network functionality, even if the machine in question doesn’t have network functionality. The loopback is a dummy network driver, which can have real network protocols bound to it. This allows the software to install properly, even though there isn’t a real network card installed in the machine.
A loopback adapter is required if you are installing on a non-networked computer to connect the computer to a network after the installation.
When you install a loopback adapter, the loopback adapter assigns a local IP address for your computer. After the loopback adapter is installed, there are at least two network adapters on your computer: your own network adapter and the loopback adapter. You can change the bind order for the adapters without reinstalling the loopback adapter. The bind order of the adapters to the protocol indicates the order in which the adapters are used. When the loopback adapter is used first for the TCP/IP protocol, all programs that access TCP/IP first probe the loopback adapter. T
It is mostly used if you have programs that have an expiration date, so that it keeps working.
-
The Overflow Blog
Linked
Related
Hot Network Questions
Subscribe to RSS
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.8.29.43607
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.
Npcap loopback adapter что это
The Users’ Guide covers the basics of installing and removing Npcap, interactions with WinPcap, frequently asked questions, and how to report bugs.
Because Npcap is a packet capture architecture, not merely a software library, some aspects of installation and configuration may fall to the end user. This Users’ Guide covers the basics of installing, configuring, and removing Npcap, as well as how to report bugs.
Installation
Npcap is distributed as a signed executable installer, downloadable from Nmap.com. Major versions are backwards-compatible, and users of the free non-commercial version are encouraged to upgrade regularly for security and stability fixes. Software distributors may have separate requirements for supported Npcap versions. Please refer to the Npcap License for terms of use and redistribution.
The Npcap installer and uninstaller are easy to use in “ Graphical Mode ” (direct run) and “ Silent Mode ” (run with /S parameter, available only with Npcap OEM).
Installer options
The installer accepts several command-line options that correspond to the options presented in the graphical interface (GUI). The options can be set by command-line flags taking the form / <name> = <value> .
The values for these options must be one of:
yes : select the option
no : unselect the option
enforced : select the option and make it unchangable in the GUI
disabled : unselect the option and make it unchangable in the GUI
Graphical installer options
The following options are presented as checkboxes in the installer, but can be set or locked via command-line flags. Unless otherwise noted, the default for these options is no .
Legacy loopback support for Nmap 7.80 and older. Not needed for Wireshark. Older versions of Npcap required a Microsoft KM-TEST loopback adapter to be installed in order to capture and inject loopback traffic. This is no longer needed, but some software won’t be able to do loopback injection unless the adapter is installed. Use this option to install the legacy loopback adapter if needed.
Restrict Npcap driver’s access to Administrators only . When this option is chosen, the devices created by the Npcap driver for capture and injection on each network adapter will be created with a restrictive ACL that only allows access to the device by the SYSTEM and built-in Administrators. Because this level of access requires UAC elevation, a helper binary, NpcapHelper.exe , is used to request elevation for each process that opens a capture handle.
Support raw 802.11 traffic (and monitor mode) for wireless adapters . This option installs a second Lightweight Filter Driver that uses the Native WiFi API to capture raw 802.11 WiFi frames on devices that are put into network monitor mode. Captured frames are given a Radiotap header. Not all hardware or network drivers support the Native WiFi API.
Install Npcap in WinPcap API-compatible Mode . The default for this option is yes in Npcap 0.9985 and later. Npcap’s DLLs have always been installed into a separate Npcap subdirectory of the system directory to avoid conflicting with existing WinPcap installations. This option also installs the DLLs to the system directory, replacing WinPcap. Any existing WinPcap installation will be removed.
Install older driver . Microsoft continues to tighten their policy on what types of certificates and authorities may sign drivers. In cases where the current driver may not strictly meet these requirements, the /prior_driver option may be used to install the last version of the driver that meets these requirements. In cases where no such driver exists, this option is ignored.
Command-line installation options
Some advanced or deprecated options are only available on the command-line. Options marked (deprecated) are subject to removal in future versions.
Installs Npcap without showing any graphical windows or prompts. This option is case-sensitive. Silent install is available only for Npcap OEM.
The default for this option is yes , so the installer will not set a system restore point. Windows may independently create a restore point because of the driver installation independent from this option. To ensure a restore point is made, specify /disable_restore_point=no .
Control termination of processes using Npcap during upgrades or WinPcap when /winpcap_mode=yes is chosen. See the section called “Uninstaller options” for more detailed discussion.
Uninstall and replace an existing Npcap installation even if it is newer than this version of the installer. By default, the Npcap installer will not remove and replace a version of Npcap that is newer than its own. In GUI mode, this hides the message box asking the user how to proceed.
Uninstall and replace an existing Npcap installation of any version if it does not provide the same features as the other command-line options specify. Features are the /winpcap_mode, /dot11_support, /loopback_support, and /admin_only options.
Uninstall and replace an existing Npcap installation regardless of version or whether the installation would be modified. By default, the Npcap installer will not remove and replace a Npcap installation of the same version unless the install options would be modified. In GUI mode, this hides the message box asking the user how to proceed.
/D (destination directory)
The destination directory for installation can be overridden by the /D option, with a few restrictions. First, it will only affect where Npcap keeps its installation logs and helper utilities. The driver and DLLs will always be installed into the appropriate directories below %SYSTEMROOT%\System32\ . Second, the /D must be the last option in the command, and the path must not contain quotes. This option is case-sensitive. For example, to change the installation directory to C:\Path With Spaces\ , the invocation would be: npcap- <version> .exe /D=C:\Path With Spaces
Automatically start the Npcap driver at boot time . This option defaults to yes , because Windows expects NDIS filter drivers to be available at boot time. If you choose to disable this, Windows may not start networking for up to 90 seconds after boot.
/vlan_support (deprecated, ignored)
Support 802.1Q VLAN tag when capturing and sending data (currently unsupported) . This feature was disabled in 2016 to prevent a crash and has not been re-enabled.
Uninstaller options
The uninstaller provided with Npcap also accepts some command-line options.
Uninstalls Npcap without showing any graphical windows or prompts. Silent uninstall is available in all editions of Npcap, not just Npcap OEM. If Npcap OEM installer in silent mode needs to uninstall an older Npcap installation, it passes the /S option to the existing uninstaller. This option is case-sensitive.
/Q (Quick uninstall)
Skips the confirmation page and finish page in the uninstall wizard. This option does not have any meaning for silent uninstalls.
/no_kill = <yes|no> (do not kill processes)
Controls how the uninstaller handles processes that are still using Npcap at the time of uninstall. The default value is no , which allows the uninstaller to terminate processes that would block Npcap from being uninstalled. If /no_kill=yes is specified, then Npcap uninstaller will fail if there are still applications using Npcap driver or DLLs.
In the default case, /no_kill=no , the graphical uninstaller will give the user the choice to manually close the offending programs, have the uninstaller terminate them, or abort the uninstallation. In silent mode, Npcap uninstaller will immediately terminate any command-line processes that are using Npcap (like a Nmap process that is still scanning), and wait for at most 15 seconds to gracefully terminate any GUI processes that are using Npcap (like Wireshark UI that is still capturing). “ Gracefully ” means that if you are still capturing via Wireshark, Wireshark UI will prompt the user about whether to save the current capture before closing. The user will have 15 seconds to save his session. Note: although Npcap uninstaller won’t terminate Wireshark UI processes immediately, the live capture stops immediately. This is because Wireshark UI uses command-line processes named dumpcap.exe to capture, and that command-line process will be terminated immediately.
If this option is provided on the installer command line, it will be passed to the Npcap uninstaller when doing an upgrade or replacement.
Disabled and enforced options for GUI Mode
We may disable or enforce certain options in the installer GUI to make them unselectable. This usually means that those options can easily cause compatibility issues and are considered not suitable for most users, or we think we need to enforce some rules for the Npcap API. Advanced users can still change their states via command-line parameters, which is described in following sections.
Fortunately, if a distributor wants to start the Npcap installer GUI and disable or enforce certain options for reasons like compatibility. It can also use the four value mechanism by setting the command-line parameters to disabled or enforced . For example, the following command will start an installer GUI with the loopback_support option disabled and unselected:
npcap- <version> .exe /loopback_support=disabled
Windows platforms supported
Npcap supports all Windows versions currently supported by Microsoft. Depending on Windows version, the driver may support a different NDIS version, which corresponds to a set of network stack features.
On Windows 10 , Windows Server 2016 , and Windows Server 2019 , Npcap installs a NDIS 6.50 driver.
On Windows 8.1 , Windows 8 , Windows Server 2012 R2 , and Windows Server 2012 , Npcap installs a NDIS 6.30 driver.
On Windows 7 and Windows Server 2008 R2 , Npcap installs a NDIS 6.20 driver.
Microsoft will end Extended support for Windows versions prior to Windows 10 on January 10, 2023. After that time, new Npcap releases may omit support for these operating systems.
Npcap can be installed on x86, x86-64, and ARM64. DLLs for the native architecture will be installed, as well as x86 DLLs for applications running in 32-bit emulation.
How to use Wireshark to capture raw 802.11 traffic in “ Monitor Mode ”
The latest Wireshark has already integrated the support for Npcap’s “ Monitor Mode ” capture. If you want to use Wireshark to capture raw 802.11 traffic in “ Monitor Mode ” , you need to switch on the monitor mode inside the Wireshark UI instead of using the section called “WlanHelper”. This is because Wireshark only recognizes the monitor mode set by itself. So when you turn on monitor mode outside Wireshark (like in WlanHelper ), Wireshark will not know the adapter has been in monitor mode, and will still try to capture in Ethernet mode, which will get no traffic. So after all, the correct steps are:
Install latest version Wireshark and latest version Npcap with Support raw 802.11 traffic option checked.
Launch Wireshark QT UI (GTK version is similar), go to “ Capture options ” . Then toggle the checkbox in the “ Monitor Mode ” column of your wireless adapter’s row. Click the “ Start ” button. If you see a horizontal line instead of the checkbox, then it probably means that your adapter doesn’t support monitor mode. You can use the WlanHelper tool to double-check this fact.
To decrypt encrypted 802.11 data packets, you need to specify the decipher key in Wireshark, otherwise you will only see 802.11 data packets.
Stop the capture in Wireshark UI when you finishes capturing, the monitor mode will be turned off automatically by Npcap.
Network interruption while installing Npcap: Installing a filter driver may cause brief interruptions to network connectivity based on the specific changes needed to install the driver in the network stack. This known issue is documented as issue #53 on our tracker.
A separate issue is a longer interruption in connectivity if the npcap service is not started, which used to be an installer option. As Microsoft states here, an optional NDIS light-weight filter (LWF) driver like Npcap could cause 90-second delay in network availability . Some solutions you could try are: 1) wait for 90 seconds; 2) disable and re-enable the adapter icon in ncpa.cpl ; 3) reboot. If the network is still unable to connect, please file a bug report.
Installation fails with error code 0x8004a029 : The cause is that you have “ reached the maximum number of network filter drivers ” , see solution here.
Npcap Loopback Adapter is missing (legacy loopback support): The legacy Npcap Loopback Adapter is actually a wrapper of Microsoft Loopback Adapter. Such adapters won’t show up in Wireshark if the Basic Filtering Enging (BFE) service was not running. To fix this issue, you should start this service at services.msc manually and restart the Npcap service by running net stop npcap and net start npcap . See details about this issue here.
Npcap only captures TCP handshake and teardown, but not data packets. Some network adapters support offloading of tasks to free up CPU time for performance reasons. When this happens, Npcap may not receive all of the packets, or may receive them in a different form than is actually sent on the wire. To avoid this issue, you may disable TCP Chimney, IP Checksum Offloading, and Large Send Offloading in the network adapter properites on Windows. See details about this issue in issue #989 on our tracker.
Reporting Bugs
Please report any bugs or issues about Npcap on the Nmap Project’s Issues tracker. In your report, please provide your DiagReport output, user software version (e.g. Nmap, Wireshark), steps to reproduce the problem, and other information you think necessary. If your issue occurs only on a particular OS version (e.g. Win10 1511, 1607), please mention it in the report.
Diagnostic report
Npcap has provided a diagnostic utility called DiagReport . It provides a lot of information including OS metadata, Npcap related files, install options, registry values, services, etc. You can simply click the C:\Program Files\Npcap\DiagReport.bat file to run DiagReport . It will pop up a text report via Notepad (it’s stored in: C:\Program Files\Npcap\DiagReport.txt ). Please always submit it to us if you encounter any issues.
General installation log
Npcap keeps track of the installation in a log file: C:\Program Files\Npcap\install.log . Please submit it together in your report if you encounter issues during the installation (e.g. the installer halts).
Driver installation log
Npcap keeps track of the driver installation (aka commands run by NPFInstall.exe ) in a log file: C:\Program Files\Npcap\NPFInstall.log , please submit it together in your report if you encounter issues during the driver installation or problems with the “ Npcap Loopback Adapter ” .
There’s another system-provided driver installation log in: C:\Windows\INF\setupapi.dev.log . If you encounter errors during the driver/service installation, please copy the Npcap-related lines out and send them together in your report.
Dynamic link library (DLL) log
For problems with Npcap’s regular operation, you may need to obtain a debug log from Packet.dll . To do this, you will need a debug build of Npcap. If you are a Npcap developer, you can build the Packet.sln project with the _DEBUG_TO_FILE macro defined. If you are an end user, you can contact the Npcap development team for the latest Npcap debug build. The debugging process will continue to append to the debug log ( C:\Program Files\Npcap\Packet.log ), so you may want to delete it after an amount of time, or save your output to another place before it gets too large.
Driver log
If there is an issue with the Npcap driver, you can open an Administrator command prompt, enter sc query npcap to query the driver status and net start npcap to start the driver (replace <npcap> with <npf> if you installed Npcap in “ WinPcap Compatible Mode ” ). The command output will inform you whether there’s an error. If the driver is running well, but the issue still exists, then you may need to check the driver’s log. Normal Npcap releases don’t switch on the driver log function for performance. Contact the Npcap development team to obtain a driver-debug version of the Npcap installer. When you have got an appropriate driver-debug version Npcap, you need to use DbgView to read the Windows kernel log (which contains our driver log). You may need to turn on DbgView before installing Npcap, if the error occurs when the driver loads. When done, save the DbgView output to a file and submit it in your report.