Further document how adapter offloading interacts with Npcap #817
Description
@dmiller-nmap recently did some research on adapter offloading. A customer had asked:
The documentation states that certain network adapter offloading features (such as TCP Chimney, IP Checksum Offloading, and Large Send Offloading) can interfere with packet capturing. When these features are enabled, Npcap may not receive all packets, or it may receive them in a state different from what is actually transmitted on the wire.
I also noted that while Npcap developers had previously implemented a change to disable these offloads automatically, this was later reverted. The rationale was to avoid forcibly disabling these features for all users. The recommendation is now for users to disable these settings manually if needed.
Given this, could you please advise if the use of these offloading features could result in dropped, incomplete or altered packet captures?
In response, Dan noted:
Generally speaking, offload features of a miniport driver and/or NIC mean that the version of the packet that Npcap sees within the Windows network stack may be different in some way from the packet that ends up on the physical link. Usually, this is evident as a zero or incorrect TCP, UDP, or IP checksum for sent packets, but it can also appear as extra-large packets (greater than the TCP MSS or the link maximum frame size) received when RSC is enabled. For most purposes, this is not a problem, since the payload data is the same, but it may be relevant for users who want or need a more forensically-sound packet capture.
TCP Chimney offload and IPSEC task offload have been deprecated since 2017. They are very rare, and we do not expect users of Microsoft-supported Windows versions to have them enabled. When they are enabled, Npcap may see the connection establishment (TCP handshake) but may not see the data stream of the connection. Ref: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/why-are-we-deprecating-network-performance-features-kb4014193/259053
This is great info that we should probably add to the offloading part of the Npcap docs.