[Soved] Gopacket/pcap and Windows Device Names

acecase · October 20, 2019, 3:41pm

Edit: Complete rewrite of post.

I still want to say thanks to GoLangBridge for creating and cultivating this community.

I’ve simplified my code (technically mostly stolen the code from John Leon’s talk at GopherCon 2016 with a small change to use net package to retrieve the interface).

Now it is only attempting to open the interface and capture a single packet.

package main

import (
	"fmt"
	"log"
	"net"
	"time"

	"github.com/google/gopacket"
	"github.com/google/gopacket/pcap"
)

var (
	snapshotLength int32         = 65535
	promiscuous    bool          = false
	timeout        time.Duration = -1 * time.Second
	err            error
	handle         *pcap.Handle
)

func main() {
	device, err := net.InterfaceByName("Ethernet")
	fmt.Println(device)
	// Open Device
	handle, err = pcap.OpenLive(device.Name, snapshotLength, promiscuous, timeout)
	if err != nil {
		log.Fatal("OpenLive Call: ", err)
	}
	defer handle.Close()

	packetSource := gopacket.NewPacketSource(handle, handle.LinkType())

	// Get the next packet
	packet, err := packetSource.NextPacket()
	if err != nil {
		log.Fatal(err)
	}

	fmt.Println(packet)
}

This is my output.
&{5 1500 Ethernet 00:d8:61:33:8e:84 up|broadcast|multicast}
2019/10/20 14:24:19 OpenLive Call: Ethernet: Error opening adapter: The system cannot find the device specified. (20)
exit status 1

Go Version: 1.13.3
npcap Version: 0.9983 (Wireshark currently works as expected with this install)
Windows 10

Running Powershell and cmd as Administrator.

It looks like my problem is with npcap or Windows, but I’m stuck. Any tips for troubleshooting this further?

acecase · October 20, 2019, 9:17pm

Solved. I’m leaving this instead of editing, in case anyone runs in to the same thing and finds this as a search result. Very likely considering how little I found searching.

The problem was the device names that I was trying.

First problem, and something that I will report as a bug, is that net.Interfaces() uses the display name for the Name property. This may have been intentional. If so, the bug is in the arpscan.go example (https://github.com/google/gopacket/blob/master/examples/arpscan/arpscan.go) where the property is used for the device name when initializing the handle with pcap.OpenLive()

Second problem is that Windows is a horrible operating system, and gives us no way (that I found) to get the actual interface name. Powershell get-netadapter gets close.
get-netadapter | where {$_.Name -eq “Ethernet”} | Select-Object -Property *
where “Ethernet” is the display name for the adapter I care about, gave
DeviceName : \Device{13044533-0543-4AF5-9E3C-85EBBC7C04BB}
and a few other properties that contain the GUID.

However, that isn’t the name that we need.

ipconfig, where it should be, is useless.

getmac /fo csv /v
gives me
\Device\Tcpip_{13044533-0543-4AF5-9E3C-85EBBC7C04BB}

Still not it.

I honestly still don’t know a consistent way to get the actual device name from every Windows box, but I noticed that some other systems that I looked at had the name format
\Device\NPF_{13044533-0543-4AF5-9E3C-85EBBC7C04BB}
(note the NPF_ that didn’t show up anywhere that I looked on this system)

So, in desperation, I gave it a shot. That’s what worked for me on this one pc that I’m working on today.

Unfortunately, without a way to get this name from something like net.Interfaces(), net.InterfaceByName(), or net.InterfaceByIndex() it will be hard to build something that will run on a machine that is isn’t tailor made for.

I blame Windows, but I hope google can give us the tools to work around it.

system · January 18, 2020, 9:17pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.