Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NPCAP FilterClass question

From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Tue, 8 Mar 2016 22:56:06 +0800
Hi Luff,


On Mon, Mar 7, 2016 at 6:30 PM, Luff, Vince <vince.luff () anite com> wrote:


Hi Yang,



First I tried NPFInstall.exe -uw

but this immediately closed the command window so I could not see the
return code. So I re-installed Npcap and then issued command:



NPFInstall.exe -uw -v



I got a popup saying “Installation failed”. See screenshot:





I never saw this error before. The error message is not generated by Npcap,
and its text is too general to search for a possible answer at Google.

I think your environment must have installed some special software or
enabled some special features. You will not see this error in a fresh
installed system. So the final solution would be starting from a fresh
system, then try installing your software one by one. See whether this
error happens in one step.








After clicking OK it shows the following:





I have a question. What is the difference between the “win7 driver” and
the “WFP callout driver” ?



Npcap's driver is a combination of LWF driver and WFP callout driver, which
are both driver types proposed by Microsoft. "Win7 driver" just means it
literally, a driver for Windows 7. In the Npcap case, two sets of drivers
are provided. One set for Vista and Win7. Another for Win8 and Win10. PS:
If you count x86 and x64 in, it will double to 4 sets. Moreover, if you
count the WinPcap-compatible or not in, it will double to 8 sets of driver
binaries.


Cheers,
Yang







Regards,

Vince









*From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
*Sent:* 04 March 2016 17:56

*To:* Luff, Vince
*Cc:* dev () nmap org; Piekarski, Pawel
*Subject:* Re: NPCAP FilterClass question



Hi Luff,



You can execute NPFInstall.exe -uw and give me its return values. This
is the actual move to uninstall the driver.



Cheers,

Yang


On Saturday, March 5, 2016, Luff, Vince <vince.luff () anite com> wrote:

Hi Yang,



Here is what I see:











Regards,

Vince



*From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
*Sent:* 04 March 2016 16:49
*To:* Luff, Vince
*Cc:* dev () nmap org; Piekarski, Pawel
*Subject:* Re: NPCAP FilterClass question



Hi Luff,



Please try the latest Npcap 0.06 R4 at:

https://github.com/nmap/npcap/releases



In this version, the uninstaller won't close itself automatically. So you
can have enough time to watch its log by clicking the "Show details" button.





Cheers,

Yang



On Fri, Mar 4, 2016 at 11:53 PM, Luff, Vince <vince.luff () anite com> wrote:

Hi,



Where do I find the uninstall log?



Regards,

Vince





*From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
*Sent:* 04 March 2016 12:13


*To:* Luff, Vince
*Cc:* dev () nmap org; Piekarski, Pawel
*Subject:* Re: NPCAP FilterClass question



Hi Luff,





On Fri, Mar 4, 2016 at 7:41 PM, Luff, Vince <vince.luff () anite com> wrote:

Hi Yang,



Thank you very much for the .exe.  This works well and is a big help to me.

Ok we will sign using our own certificate.



I have a few questions:



·         When uninstalling Npcap, if I have wradvs (
https://sourceforge.net/projects/wradvs ) running it says:

“Trying to stop the npf service”  -> “Failed to stop the npf service, stop
uninstallation now. Please stop using Npcap first”.

I have to stop wradvs to allow the uninstall to proceed. Is this
intentional behaviour?

Uninstall of WinPCAP allows the uninstall to proceed in this case but
requests a reboot.





Yes. If Npcap is currently in use, then the uninstallation will fail with
the message: “Failed to stop the npf service, stop uninstallation now.
Please stop using Npcap first”.



There are many differences between NDIS 5 (used by WinPcap) and NDIS 6
(used by Npcap). The most significant one is that NDIS 6 only allows a
driver to attach to an adapter once. This means Npcap has to handle all the
user-mode multiplexing by itself. When the driver uninstalls, all adapters
provided by NDIS are detached without exception or waiting until reboot. So
even if there's a way to let Npcap driver uninstall itself after reboot,
the current capture sessions will still cease. So current handling of not
allowing uninstallation is reasonable.



·         After uninstalling Npcap the Npcap driver remains on the NIC
properties page. Shouldn’t the uninstall remove the driver also?



Have you uninstalled successfully? You can paste your uninstall log here.
PS: Showing the above message is definitely not successful.



·         Small issue. I noticed that some of the text in the installer
is not shown correctly:



OK. In my testing machines, the wording didn't exceed the window size. I
will shorten the sentence then.



Cheers,

Yang







Regards,

Vince





*From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
*Sent:* 04 March 2016 01:34
*To:* Luff, Vince
*Cc:* dev () nmap org; Piekarski, Pawel
*Subject:* Re: NPCAP FilterClass question



Hi Luff,





On Fri, Mar 4, 2016 at 2:38 AM, Luff, Vince <vince.luff () anite com> wrote:

Hi again Yang,



My colleague, Pawel has some questions for you below.



Regards,

Vince





==============

Hi Yang / PCAP Dev,



I’m using npcap-0.06 along with wireshark to capture the traffic flowing
through our custom virtual network interface.

In order to simulate real network conditions like packet loss I use
Microsoft Network Emulator built upon Microsoft VSTS Network Emulation
NDIS6 Driver. This driver comes with Microsoft Test Agent for Visual Studio
(See the Tools for Visual Studio 2015 section -
https://www.visualstudio.com/downloads ).



The goal is to capture the outgoing traffic (I don’t really care about
incoming) after it is impaired by Network Emulator filter but the trouble
is that the FilterClass of NPCAP is “compression” whereas VSTS is
“failover” so VSTS ends up underneath NPCAP and so wireshark logs the
unimpaired traffic.



Notice: Make sure the outgoing traffic is NOT sent out by Npcap. Npcap
always "receives" the packets sent by itself inside the driver ("receive"
means can be captured by softwares like Wireshark). So you will always see
intact outgoing packets sent by Npcap.



I worked it around by tweaking npcap class to “diagnostic” so filters
stack up as I need.  Does this sound sensible?



I think this idea is viable. Just changing the value and rebuilding the
driver should be OK.







Eventually npcap will be installed in our product by automated process
possibly on x64 at some point so I’ll need to re-sign the driver and .INF
file with our own certificate.

Can I ask:

·         Would you be willing help me out by sending me a test build
with the .inf file tweaked with FilterClass “diagnostic”?



OK. See the attachment. Remember to remove the suffix in the file name.





Just change the value and rebuilt the driver.



·         In the long term, are you happy for us to re-sign the driver
and .INF file with our own certificate?



As Fyodor said in:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/LICENSE-FOR-NPCAP-BINARIES



*Npcap is open source and you can find the source code at our Github:
https://github.com/nmap/npcap <https://github.com/nmap/npcap>*



*We don't currently permit redistribution of the binaries which are signed
by the Nmap Project (Insecure.Com LLC) using our signing certificate.  This
is due to concerns that our signing certificate could possibly be revoked
if malware or other shady software was to include these binaries which are
signed by us.  We suggest signing Npcap with your own certificate and
distributing that instead.*



*If you do wish to distribute our signed Npcap binaries with your
legitimate software, please mail fyodor () nmap org.  We may be able to make
exceptions.  We also plan to look into the ramifications of a less
restrictive redistribution policy as soon as we get a chance.*



So you are encouraged to distribute Npcap signed by your own cert.





On the other note: Blue screens reported by my colleague Vince Luff don’t
occur anymore.



Good. No need to hack with Virtual PC then.





Cheers,

Yang







*Best Regards*


*Pawel Piekarski*











Please refer to www.anite.com for individual Anite company details. The
contents of this e-mail and any attachments are for the intended recipient
only. If you are not the intended recipient, you are not authorised to and
must not disclose, copy, distribute, or retain this message or any part of
it. It may contain information which is confidential and/or covered by
legal professional or other privilege. Contracts cannot be concluded with
us nor legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.





Please refer to www.anite.com for individual Anite company details. The
contents of this e-mail and any attachments are for the intended recipient
only. If you are not the intended recipient, you are not authorised to and
must not disclose, copy, distribute, or retain this message or any part of
it. It may contain information which is confidential and/or covered by
legal professional or other privilege. Contracts cannot be concluded with
us nor legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.





Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>.



Please refer to www.anite.com for individual Anite company details. The
contents of this e-mail and any attachments are for the intended recipient
only. If you are not the intended recipient, you are not authorised to and
must not disclose, copy, distribute, or retain this message or any part of
it. It may contain information which is confidential and/or covered by
legal professional or other privilege. Contracts cannot be concluded with
us nor legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.





Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>.



Please refer to www.anite.com for individual Anite company details. The
contents of this e-mail and any attachments are for the intended recipient
only. If you are not the intended recipient, you are not authorised to and
must not disclose, copy, distribute, or retain this message or any part of
it. It may contain information which is confidential and/or covered by
legal professional or other privilege. Contracts cannot be concluded with
us nor legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.



Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>.


Please refer to www.anite.com for individual Anite company details. The
contents of this e-mail and any attachments are for the intended recipient
only. If you are not the intended recipient, you are not authorised to and
must not disclose, copy, distribute, or retain this message or any part of
it. It may contain information which is confidential and/or covered by
legal professional or other privilege. Contracts cannot be concluded with
us nor legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: