AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
But, if the LWF doesn't really interact with the NIC much, it's often a non-event. In general, we add distinct binding tokens when there's something different about the interface that LWFs may have to take into consideration. I'm just saying that you should try it out before committing a PR that adds a claim that the LWF supports iovvf. Although, as you pointed out, there's no workaround by tapping the netvsc - I don't want to discourage you from binding to iovvf interfaces. If there's a value named LowerRange and it has only iovvf, then my comments about bindings apply. Where is whichever key has all the Broadcom stuff under it. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\\Ndi\Interfaces You can check quickly by looking at the registry key: My comments about INFs and bindings may or may not apply, depending on how Broadcom and RedHat decided to expose the VF to the guest OS. The VF architecture in Windows is (for better or worse) somewhat coupled to netvsc, to provide seamless failover. I honestly have no idea how a VF would look if it was exposed from another hypervisor. In other words, this is your network architecture looks like this (zoomed in from - Oh, that's interesting. The netvsc adapter will show all the traffic to/from the VF. ![]() Silently capturing traffic shouldn't cause any problems, but setting a OID_GEN_CURRENT_PACKET_FILTER does theoretically perturb the state of the system, so it could theoretically break something that wasn't expecting it.Īlso, keep in mind that even without any changes to npcap, you can still capture traffic from the VF right now: just attach to the netvsc (Hyper-V) interface. You should test it a bit to make sure that your LWF doesn't break things. ![]() But before you rush out and do that - be advised that a VF stack is not quite the usual TCPIP stack. Example: FilterMediaTypes=ethernet,bluetooth,iovvf. I believe you'd only have to append iovvf to your INF's FilterMediaTypes. If you want, you can modify the LWF's INF to bind to VF adapters too. But a VF has UpperRange=ndisvf and LowerRange=iovvf. Usually an Ethernet adapter would have UpperRange=ndis5 (ignore the name it's not actually NDIS 5.x) and LowerRange=ethernet. ![]() ![]() This is accomplished by setting the UpperRange and LowerRange in a VF's INF to distinct tokens. It does this so it can provide seamless and transparent failover if the VM is migrated to a host that doesn't have a VF.īecause it isn't just a regular Ethernet+TCPIP situation, the VF's network interface is designed to not bind all the usual filters by default. netvsc exposes the VF's traffic up through its own datapath. The VF doesn't bind directly to most drivers - instead, it slots into a purpose-built protocol driver that is bundled with netvsc (the Hyper-V network adapter). I'd give up the functionality to use them in WSL then.Ah this is sort of by design, at least from the OS's point of view. My best bet is that this is Windows 10's driver to access network adapters, and this is probably still under control of WSL, when I don't even have it actively running.Īny clues on how to take back control over my network devices with Wireshark from here? I tried reinstalling WinPcap, but it would throw an error, saying that it can't access "C:\WINDOWS\system32\npf.sys". So, I even restarted Windows and still, no change here. Now, I hoped I could capture the result in Wireshark in the host system, Windows 10, but I got this error: It took me quite a while to get it all running, so I do not remember all the steps I took.Īnyway, I got to that point that I was able to see my network devices in Kali Linux, in WSL2, and I was starting a network tool. I've been using Wireshark for weeks, but recently I installed Windows Subsystem for Linux (WSL2) with Kali Linux, planning to do some network analysis.
0 Comments
Read More
Leave a Reply. |