Nmap Development mailing list archives
Re: NPCAP FilterClass question
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Tue, 8 Mar 2016 22:56:06 +0800
Hi Luff, On Mon, Mar 7, 2016 at 6:30 PM, Luff, Vince <vince.luff () anite com> wrote:
Hi Yang, First I tried NPFInstall.exe -uw but this immediately closed the command window so I could not see the return code. So I re-installed Npcap and then issued command: NPFInstall.exe -uw -v I got a popup saying “Installation failed”. See screenshot:
I never saw this error before. The error message is not generated by Npcap, and its text is too general to search for a possible answer at Google. I think your environment must have installed some special software or enabled some special features. You will not see this error in a fresh installed system. So the final solution would be starting from a fresh system, then try installing your software one by one. See whether this error happens in one step.
After clicking OK it shows the following: I have a question. What is the difference between the “win7 driver” and the “WFP callout driver” ?
Npcap's driver is a combination of LWF driver and WFP callout driver, which are both driver types proposed by Microsoft. "Win7 driver" just means it literally, a driver for Windows 7. In the Npcap case, two sets of drivers are provided. One set for Vista and Win7. Another for Win8 and Win10. PS: If you count x86 and x64 in, it will double to 4 sets. Moreover, if you count the WinPcap-compatible or not in, it will double to 8 sets of driver binaries. Cheers, Yang
Regards, Vince *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com] *Sent:* 04 March 2016 17:56 *To:* Luff, Vince *Cc:* dev () nmap org; Piekarski, Pawel *Subject:* Re: NPCAP FilterClass question Hi Luff, You can execute NPFInstall.exe -uw and give me its return values. This is the actual move to uninstall the driver. Cheers, Yang On Saturday, March 5, 2016, Luff, Vince <vince.luff () anite com> wrote: Hi Yang, Here is what I see: Regards, Vince *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com] *Sent:* 04 March 2016 16:49 *To:* Luff, Vince *Cc:* dev () nmap org; Piekarski, Pawel *Subject:* Re: NPCAP FilterClass question Hi Luff, Please try the latest Npcap 0.06 R4 at: https://github.com/nmap/npcap/releases In this version, the uninstaller won't close itself automatically. So you can have enough time to watch its log by clicking the "Show details" button. Cheers, Yang On Fri, Mar 4, 2016 at 11:53 PM, Luff, Vince <vince.luff () anite com> wrote: Hi, Where do I find the uninstall log? Regards, Vince *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com] *Sent:* 04 March 2016 12:13 *To:* Luff, Vince *Cc:* dev () nmap org; Piekarski, Pawel *Subject:* Re: NPCAP FilterClass question Hi Luff, On Fri, Mar 4, 2016 at 7:41 PM, Luff, Vince <vince.luff () anite com> wrote: Hi Yang, Thank you very much for the .exe. This works well and is a big help to me. Ok we will sign using our own certificate. I have a few questions: · When uninstalling Npcap, if I have wradvs ( https://sourceforge.net/projects/wradvs ) running it says: “Trying to stop the npf service” -> “Failed to stop the npf service, stop uninstallation now. Please stop using Npcap first”. I have to stop wradvs to allow the uninstall to proceed. Is this intentional behaviour? Uninstall of WinPCAP allows the uninstall to proceed in this case but requests a reboot. Yes. If Npcap is currently in use, then the uninstallation will fail with the message: “Failed to stop the npf service, stop uninstallation now. Please stop using Npcap first”. There are many differences between NDIS 5 (used by WinPcap) and NDIS 6 (used by Npcap). The most significant one is that NDIS 6 only allows a driver to attach to an adapter once. This means Npcap has to handle all the user-mode multiplexing by itself. When the driver uninstalls, all adapters provided by NDIS are detached without exception or waiting until reboot. So even if there's a way to let Npcap driver uninstall itself after reboot, the current capture sessions will still cease. So current handling of not allowing uninstallation is reasonable. · After uninstalling Npcap the Npcap driver remains on the NIC properties page. Shouldn’t the uninstall remove the driver also? Have you uninstalled successfully? You can paste your uninstall log here. PS: Showing the above message is definitely not successful. · Small issue. I noticed that some of the text in the installer is not shown correctly: OK. In my testing machines, the wording didn't exceed the window size. I will shorten the sentence then. Cheers, Yang Regards, Vince *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com] *Sent:* 04 March 2016 01:34 *To:* Luff, Vince *Cc:* dev () nmap org; Piekarski, Pawel *Subject:* Re: NPCAP FilterClass question Hi Luff, On Fri, Mar 4, 2016 at 2:38 AM, Luff, Vince <vince.luff () anite com> wrote: Hi again Yang, My colleague, Pawel has some questions for you below. Regards, Vince ============== Hi Yang / PCAP Dev, I’m using npcap-0.06 along with wireshark to capture the traffic flowing through our custom virtual network interface. In order to simulate real network conditions like packet loss I use Microsoft Network Emulator built upon Microsoft VSTS Network Emulation NDIS6 Driver. This driver comes with Microsoft Test Agent for Visual Studio (See the Tools for Visual Studio 2015 section - https://www.visualstudio.com/downloads ). The goal is to capture the outgoing traffic (I don’t really care about incoming) after it is impaired by Network Emulator filter but the trouble is that the FilterClass of NPCAP is “compression” whereas VSTS is “failover” so VSTS ends up underneath NPCAP and so wireshark logs the unimpaired traffic. Notice: Make sure the outgoing traffic is NOT sent out by Npcap. Npcap always "receives" the packets sent by itself inside the driver ("receive" means can be captured by softwares like Wireshark). So you will always see intact outgoing packets sent by Npcap. I worked it around by tweaking npcap class to “diagnostic” so filters stack up as I need. Does this sound sensible? I think this idea is viable. Just changing the value and rebuilding the driver should be OK. Eventually npcap will be installed in our product by automated process possibly on x64 at some point so I’ll need to re-sign the driver and .INF file with our own certificate. Can I ask: · Would you be willing help me out by sending me a test build with the .inf file tweaked with FilterClass “diagnostic”? OK. See the attachment. Remember to remove the suffix in the file name. Just change the value and rebuilt the driver. · In the long term, are you happy for us to re-sign the driver and .INF file with our own certificate? As Fyodor said in: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/LICENSE-FOR-NPCAP-BINARIES *Npcap is open source and you can find the source code at our Github: https://github.com/nmap/npcap <https://github.com/nmap/npcap>* *We don't currently permit redistribution of the binaries which are signed by the Nmap Project (Insecure.Com LLC) using our signing certificate. This is due to concerns that our signing certificate could possibly be revoked if malware or other shady software was to include these binaries which are signed by us. We suggest signing Npcap with your own certificate and distributing that instead.* *If you do wish to distribute our signed Npcap binaries with your legitimate software, please mail fyodor () nmap org. We may be able to make exceptions. We also plan to look into the ramifications of a less restrictive redistribution policy as soon as we get a chance.* So you are encouraged to distribute Npcap signed by your own cert. On the other note: Blue screens reported by my colleague Vince Luff don’t occur anymore. Good. No need to hack with Virtual PC then. Cheers, Yang *Best Regards* *Pawel Piekarski* Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service effected by email. Anite Ltd. Registered in England No.1798114 Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187 Scanned for viruses by Mimecast <http://www.mimecast.co.uk>. Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service effected by email. Anite Ltd. Registered in England No.1798114 Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187 Scanned for viruses by Mimecast <http://www.mimecast.co.uk>. Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>. Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service effected by email. Anite Ltd. Registered in England No.1798114 Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187 Scanned for viruses by Mimecast <http://www.mimecast.co.uk>. Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>. Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service effected by email. Anite Ltd. Registered in England No.1798114 Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187 Scanned for viruses by Mimecast <http://www.mimecast.co.uk>. Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>. Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service effected by email. Anite Ltd. Registered in England No.1798114 Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187 Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- RE: NPCAP FilterClass question, (continued)
- RE: NPCAP FilterClass question Luff, Vince (Mar 04)
- Re: NPCAP FilterClass question 食肉大灰兔V5 (Mar 04)
- Re: NPCAP FilterClass question 食肉大灰兔V5 (Mar 04)
- RE: NPCAP FilterClass question Luff, Vince (Mar 04)
- Re: NPCAP FilterClass question 食肉大灰兔V5 (Mar 04)
- RE: NPCAP FilterClass question Luff, Vince (Mar 09)
- Re: NPCAP FilterClass question 食肉大灰兔V5 (Mar 07)
- RE: NPCAP FilterClass question Luff, Vince (Mar 09)
- Re: NPCAP FilterClass question 食肉大灰兔V5 (Mar 08)
- RE: NPCAP FilterClass question Luff, Vince (Mar 09)
- RE: NPCAP FilterClass question Luff, Vince (Mar 04)
- Re: NPCAP FilterClass question 食肉大灰兔V5 (Mar 08)