Wireshark mailing list archives
Re: Npcap 0.03 call for test
From: Jim Young <jyoung () gsu edu>
Date: Tue, 4 Aug 2015 04:23:56 +0000
Hello Yang, While testing Npcap 0.03-r3 I stumbled into one reproducible issue but I also triggered a crash (which I am currently unable to reproduce). The reproducible issue involves capturing on the Npcap loopback interface and then starting a cmd shell and pinging the loopback address as follows: ping -t -l 65500 127.0.0.1 The first several ping requests and responses are seen and captured but after several seconds I started seeing "[Malformed Packets]" of length 14. A pair of Malformed packets were seen each second. When I stopped the ping, the Malformed Packets stopped. I stopped and restarted Wireshark but the same thing happened. I then wanted to reboot the system to see if I could still replicate this Malformed Packet issue. After the system rebooted I double-clicked on the Wireshark icon but it did not immediately start. I thought that I had not double-clicked on it properly so I double-clicked on the Wireshark icon a second time and then the system crashed with the following Bug Check Message: DRIVER_IRQL_NOT_LESS_OR_EQUAL I tried several times to reproduce this particular crash but so far with no luck although I can easily reproduce the issue with Malformed Packets of length 14. Here's the WinDBG log from the MEMORY.DMP file created the latest crash: <snip> 3: kd> .symfix C:\Symbols 3: kd> .reload Loading Kernel Symbols ............................................................... ................................................................ ......................................... Loading User Symbols ..................................... Loading unloaded module list ......... 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 00000000ffffffff, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff801fb0acb7c, address which referenced memory Debugging Details: ------------------ *** ERROR: Module load completed but symbols could not be loaded for npf.sys *** ERROR: Symbol file could not be found. Defaulted to export symbols for packet.dll - READ_ADDRESS: unable to get nt!MmNonPagedPoolStart unable to get nt!MmSizeOfNonPagedPoolInBytes 00000000ffffffff CURRENT_IRQL: 2 FAULTING_IP: ndis!ndisQueueOidRequest+ec fffff801`fb0acb7c 803e05 cmp byte ptr [rsi],5 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: dumpcap.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre TRAP_FRAME: ffffd000dc7b5080 -- (.trap 0xffffd000dc7b5080) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=ffffe00167a89080 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801fb0acb7c rsp=ffffd000dc7b5210 rbp=ffffd000dc7b5310 r8=0000000000000000 r9=0000000000000003 r10=0000000000000000 r11=fffff801fb0a954b r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc ndis!ndisQueueOidRequest+0xec: fffff801`fb0acb7c 803e05 cmp byte ptr [rsi],5 ds:00000000`00000000=?? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80111fd27e9 to fffff80111fc6ca0 STACK_TEXT: ffffd000`dc7b4f38 fffff801`11fd27e9 : 00000000`0000000a 00000000`ffffffff 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx ffffd000`dc7b4f40 fffff801`11fd103a : 00000000`00000000 ffffe001`69600000 00000000`00169600 fffffa80`035d1c00 : nt!KiBugCheckDispatch+0x69 ffffd000`dc7b5080 fffff801`fb0acb7c : ffffe001`6960a660 fffff801`11eb79b1 00000000`00000600 00000000`00000801 : nt!KiPageFault+0x23a ffffd000`dc7b5210 fffff801`fb0ad4ce : ffffe001`67aaa760 00000000`000001fe 00000000`00000000 ffffe001`69600078 : ndis!ndisQueueOidRequest+0xec ffffd000`dc7b53b0 fffff801`fbe1a1d1 : ffffe001`69600098 ffffe001`69600000 ffffe001`69600098 ffffe001`69600000 : ndis!NdisFOidRequest+0xc2 ffffd000`dc7b5470 fffff801`fbe1a51f : ffffe001`656efcc0 ffffe001`670d0db0 ffffe001`670d0ce0 ffffe001`69600000 : npf+0x21d1 ffffd000`dc7b54b0 fffff801`12298dd1 : 00000000`000000a5 ffffd000`dc7b57e1 00000000`00000000 00000000`00000040 : npf+0x251f ffffd000`dc7b54e0 fffff801`1231fdc4 : 00000000`00000000 00000000`00000000 ffffe001`656efb40 ffffe001`656efb40 : nt!IopParseDevice+0x6c1 ffffd000`dc7b5700 fffff801`122ad6b3 : 00000000`00000000 ffffd000`dc7b58a8 00000000`00000040 ffffe001`61a6c080 : nt!ObpLookupObjectName+0x784 ffffd000`dc7b5830 fffff801`122c64db : 00000000`00000001 ffffe001`679c0738 00000000`00000001 00000000`00000020 : nt!ObOpenObjectByName+0x1e3 ffffd000`dc7b5960 fffff801`122c615c : 000000a5`08c0c848 00000000`c0100080 000000a5`08c0c8a0 ffffe001`67de48c0 : nt!IopCreateFile+0x36b ffffd000`dc7b5a00 fffff801`11fd24b3 : ffffe001`67a89080 ffffd000`dc7b5b80 ffffd000`dc7b5aa8 000000a5`08c0c7f0 : nt!NtCreateFile+0x78 ffffd000`dc7b5a90 00007ffe`5e78171a : 00007ffe`5bc081aa 000000a5`08c0c980 00000000`00000000 00000000`0000006c : nt!KiSystemServiceCopyEnd+0x13 000000a5`08c0c7c8 00007ffe`5bc081aa : 000000a5`08c0c980 00000000`00000000 00000000`0000006c 00007ffe`5e72086d : ntdll!NtCreateFile+0xa 000000a5`08c0c7d0 00007ffe`5bc07e7a : 00000000`00000000 000000a5`08c0c9f0 00000000`c0000000 00000000`00000000 : KERNELBASE!CreateFileInternal+0x314 000000a5`08c0c950 00007ffe`5bc0b3d1 : 00000000`00000000 0000647f`a05090dc 000000a5`0aab0000 00000000`00ae10cc : KERNELBASE!CreateFileW+0x66 000000a5`08c0c9b0 00000000`00ae5166 : 000000a5`08d04960 ffffffff`ffffffff 00000000`00af9540 000000a5`08c0cea8 : KERNELBASE!CreateFileA+0x61 000000a5`08c0ca10 000000a5`08d04960 : ffffffff`ffffffff 00000000`00af9540 000000a5`08c0cea8 00000000`00000003 : packet+0x5166 000000a5`08c0ca18 ffffffff`ffffffff : 00000000`00af9540 000000a5`08c0cea8 00000000`00000003 00000000`00000000 : 0x000000a5`08d04960 000000a5`08c0ca20 00000000`00af9540 : 000000a5`08c0cea8 00000000`00000003 00000000`00000000 00000000`00000000 : 0xffffffff`ffffffff 000000a5`08c0ca28 000000a5`08c0cea8 : 00000000`00000003 00000000`00000000 00000000`00000000 00000000`00aea341 : packet!PacketGetNetType+0x13050 000000a5`08c0ca30 00000000`00000003 : 00000000`00000000 00000000`00000000 00000000`00aea341 000000a5`08c0cfa8 : 0x000000a5`08c0cea8 000000a5`08c0ca38 00000000`00000000 : 00000000`00000000 00000000`00aea341 000000a5`08c0cfa8 00000000`ffffffda : 0x3 STACK_COMMAND: kb FOLLOWUP_IP: npf+21d1 fffff801`fbe1a1d1 8bf0 mov esi,eax SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: npf+21d1 FOLLOWUP_NAME: MachineOwner MODULE_NAME: npf IMAGE_NAME: npf.sys DEBUG_FLR_IMAGE_TIMESTAMP: 55bf12a7 FAILURE_BUCKET_ID: AV_npf+21d1 BUCKET_ID: AV_npf+21d1 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_npf+21d1 FAILURE_ID_HASH: {018c08e5-8cd5-951b-e0e0-8baf1868eb2b} Followup: MachineOwner --------- Please let me know if you need to see the complete MEMORY.DMP. Best regards, Jim Y.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Npcap 0.03 call for test, (continued)
- Re: Npcap 0.03 call for test Yang Luo (Aug 02)
- Re: Npcap 0.03 call for test Yang Luo (Aug 03)
- Re: Npcap 0.03 call for test Pascal Quantin (Aug 03)
- Re: Npcap 0.03 call for test Yang Luo (Aug 03)
- Re: Npcap 0.03 call for test Pascal Quantin (Aug 03)
- Re: Npcap 0.03 call for test Jim Young (Aug 03)
- Re: Npcap 0.03 call for test Yang Luo (Aug 03)
- Re: Npcap 0.03 call for test Yang Luo (Aug 03)
- Re: Npcap 0.03 call for test Pascal Quantin (Aug 03)
- Re: Npcap 0.03 call for test Yang Luo (Aug 03)
- Re: Npcap 0.03 call for test Jim Young (Aug 03)
- Re: Npcap 0.03 call for test Yang Luo (Aug 05)
- Re: Npcap 0.03 call for test Jim Young (Aug 06)
- Re: Npcap 0.03 call for test Yang Luo (Aug 15)
- Re: Npcap 0.03 call for test Pascal Quantin (Aug 06)
- Re: Npcap 0.03 call for test Yang Luo (Aug 06)
- Re: Npcap 0.03 call for test Pascal Quantin (Aug 06)
- Re: Npcap 0.03 call for test Jim Young (Aug 06)
- Re: Npcap 0.03 call for test Yang Luo (Aug 10)
- Re: Npcap 0.03 call for test Jim Young (Aug 10)
- Re: Npcap 0.03 call for test Yang Luo (Aug 14)