npcap icon indicating copy to clipboard operation
npcap copied to clipboard
verified publisher icon nmap

Rx-mode injection only works with REG_SZ (causes hangs); REG_MULTI_SZ does not inject as Rx

Open krish88077 opened this issue 8 months ago • 1 comments

Problem Summary

Npcap's Rx-mode injection behavior is inconsistent:

  • If SendToRxAdapters is added as REG_SZ with \Device\{GUID}, Rx-mode works (Wireshark sees it as Rx), but the script hangs (tested using Scapy's conf.L2socket with sendp()).
  • If SendToRxAdapters is added as REG_MULTI_SZ with the same \Device\{GUID} (1 line or multiple), no hang occurs, but the packet only goes out as Tx, not Rx.

This makes Rx-mode practically unusable in production environments where hanging is unacceptable.

Repro Steps

  1. Add registry key at: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters

  2. Set value:

  • REG_SZ: \Device\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} → works as Rx, but hangs.
  • REG_MULTI_SZ: same device name → no hang, but sends as Tx.

  1. Run Scapy script with: from scapy.all import sendp, Ether, IP, conf conf.iface = "Ethernet" # NIC matching the device GUID pkt = Ether()/IP(dst="8.8.8.8") sendp(pkt)

  2. Observe: REG_SZ: script in cmd hangs but appears in pktmon as Rx REG_MULTI_SZ: script in cmd completes, but appears in pktmon as Tx

Versions Npcap: 1.79 Wireshark: 4.4.3 OS: Windows 11 Pro Tested on multiple interfaces

Expected Behavior REG_MULTI_SZ should behave the same as REG_SZ — allow Rx-mode injection without hangs.

Additional Notes Documentation at v0.05-r7 changelog mentions semicolon-separated strings, but current behavior suggests inconsistency. Using REG_SZ is not viable for production due to app hangs.

Please clarify if: REG_MULTI_SZ is supposed to be supported for Rx Any syntax (semicolon-separated or newline) is expected \Device{GUID} is still required in latest versions

krish88077 avatar Apr 17 '25 08:04 krish88077

This feature is not documented outside the source and the changelog, as you noted. I will look into fixing the functionality, but if we continue to support and document the feature, it will be on a per-handle basis, not as a Registry setting. That said, the part of the code that reads and parses the Registry value expects a REG_SZ with semicolon-delimited names. I can't tell immediately whether the "\Device\" prefix is required currently.

dmiller-nmap avatar Jun 04 '25 18:06 dmiller-nmap