[tcpdump-workers] Adding loopback adapter detection for Windows

Guy Harris guy at alum.mit.edu
Mon Jan 25 15:46:32 EST 2016

On Jan 24, 2016, at 7:47 PM, Yang Luo <hsluoyb at gmail.com> wrote:

> My ubuntu 14.04 shows the lines below, so I think it doesn't support IFF_LOOPBACK.
> root at ly-controller:~# ifconfig lo
> lo        Link encap:Local Loopback 
>           inet addr:  Mask:
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>           RX packets:10580846 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:10580846 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:2877631654 (2.8 GB)  TX bytes:2877631654 (2.8 GB)

No, it *does* support it.

> However Windows supports it.

Yes, there's an IFF_LOOPBACK flag in Winsock:


But is it actually set for any interface, or is it just provided for source compatibility with various UN*Xes?

> <image.png> 
> I have analyzed the code related to me. Currently my code is in inet.c----add_or_find_if. It has curdev->flags and this must be set. What pcap-win32.c has is pcap_create and pcap_activate_win32, called by pcap_open_live which is called by add_or_find_if. If I make the change in pcap-win32.c, the code would be very ugly.

In the current version of the code on the trunk, which I just checked in, add_or_find_if() takes PCAP_IF_ flags, rather than IFF_ flags, as arguments.

In pcap_add_if_win32(), check whether the interface is a loopback interface and, if it is, pass PCAP_IF_LOOPBACK to add_or_find_if(), otherwise pass 0.

(There appear to be OIDs that will determine whether the interface is "working" or not, but 1) they appear to be different in NDIS 5 and NDIS 6 and 2) they don't separate "up" and "running", so you could only use them to determine whether to pass PCAP_IF_UP|PCAP_IF_RUNNING, possibly combined with PCAP_IF_LOOPBACK, or just 0, possibly combined with PCAP_IF_LOOPBACK.)

> Maybe I should just put my code in inet.c and wrap it with #ifdef WIN32 macro?

No - see above.

More information about the tcpdump-workers mailing list