Re: NPCAP Blue screen

[食肉大灰兔V5 <hsluoyz () gmail com>]

Hi Luff,

Your attachment is exactly what I used. But I found out the issue based on
[1, 2].

*Based on my research, I would like to answer you that the maximum number
of network filter drivers in Windows 7 is 14. However, it is hard coded to
allow 14 filter drivers. By default, the number is 8. To view the number or
modify the number, please access the following registry key:*
*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\MaxNumFilters*
*Usually, the network filter drivers are listed in the Network Connection’s
Properties. Also, it can be located by some third party programs, such as
antivirus program.*

I can install now.

[1]
http://answers.microsoft.com/en-us/windows/forum/all/why-does-my-virtual-pc-install-reverts-back-during/7e324092-090c-40e5-a5d2-0badad2c248b?auth=1
[2]
http://www.experts-exchange.com/questions/27999067/WSUS-Update-failed-Windows-Virtual-PC.html


Cheers,
Yang


On Thu, Mar 3, 2016 at 7:00 PM, Luff, Vince <vince.luff () anite com> wrote:

> Hi Yang,
>
>
>
> Our IT department told me that they install KB958559-x86-Virtual PC.msu
>
> They gave me a copy (I’m not sure where they get this from).
>
> I’ve attached this file. I think email filters will block sending .msu
> files so I have zipped it as encrypted. The password is   *yang*
>
>
>
> Regards,
>
> Vince
>
>
>
>
>
> *From:* Luff, Vince
> *Sent:* 02 March 2016 17:51
> *To:* 'hsluoyz () gmail com'
> *Cc:* dev () nmap org; Piekarski, Pawel
> *Subject:* RE: NPCAP Blue screen
>
>
>
> Hi Yang,
>
>
>
> Sorry, I’m not sure. Maybe it’s because you are trying to install it on a
> virtual machine.
>
> In our PCs it’s running directly on Win7.
>
>
>
> I’ve asked our IT department if they use
> Windows6.1-KB958559-x86-RefreshPkg.msu. I’ll let you know when I get an
> answer.
>
>
>
> Regards,
>
> Vince
>
>
>
>
>
> *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com <hsluoyz () gmail com>]
> *Sent:* 01 March 2016 05:39
> *To:* Luff, Vince
> *Cc:* dev () nmap org; Piekarski, Pawel
> *Subject:* Re: NPCAP Blue screen
>
>
>
> Hi Luff,
>
>
>
> I have a Win7 x86 VMware VM on my Win10. I think I needed to use
> the Windows6.1-KB958559-x86-RefreshPkg.msu to install Virtual PC on this
> Win7 VM.
>
>
>
> But I failed the installation:
>
>
>
> *Failure configuring Windows updates*
>
> *Reverting changes.*
>
> *Do not turn off your computer.*
>
>
>
>  Do you have any idea why?
>
>
>
> Cheers,
>
> Yang
>
>
>
>
>
> On Mon, Feb 29, 2016 at 8:59 PM, Luff, Vince <vince.luff () anite com> wrote:
>
> Hi,
>
>
>
> In the Virtual PC settings, I assign one of the adaptors to be the
> “Microsoft Loopback Adaptor”. This adaptor is then used to create a TCP
> connection between the Win7 machine and the NetBSD OS running on the
> virtual machine.
>
>
>
>
>
>
>
> Please let me know if I have not answered your question fully.
>
>
>
> Regards,
>
> Vince
>
>
>
>
>
> *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
> *Sent:* 29 February 2016 12:53
>
>
> *To:* Luff, Vince
> *Cc:* dev () nmap org; Piekarski, Pawel
> *Subject:* Re: NPCAP Blue screen
>
>
>
> Hi Luff,
>
>
>
> I think your code simply create a loopback adapter using "devcon.exe
> install Inf\\Netloop.inf *msloop" command. But what do you mean by "Microsoft
> Loopback Adapter which is used for a virtual machine" in your first post?
> How to connect this loopback adapter with your Virtual PC VM?
>
>
>
> The second issue is fixed in the latest Npcap 0.05 R16:
>
> https://github.com/nmap/npcap/releases
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
> On Mon, Feb 29, 2016 at 7:56 PM, Luff, Vince <vince.luff () anite com> wrote:
>
> Hi Yang,
>
>
>
> Thank you for the bug fix. When will this be in a release?
>
>
>
> I am using Windows Virtual PC, 32 bit from Microsoft:
> https://www.microsoft.com/en-gb/download/details.aspx?id=3702
>
>
>
> We install the Microsoft Loopback Adaptor as follows:
>
>
>
> public bool InstallNewMsLoopBackAdpt()
>
>         {
>
>             bool retVal = true;
>
>             if (!File.Exists(Constants.File_DevconFile))    //
> File_DevconFile points to Devcon.exe (
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff544707(v=vs.85).aspx
> )
>
>             {
>
>                 DebugLog.WriteLine("ERROR : Installation files not copied
> properly", true);
>
>                 return false;
>
>             }
>
>             ///
>
>             string IniFilePath = Environment.GetFolderPath(Environment.
> SpecialFolder.Windows);
>
>             IniFilePath = Path.Combine(IniFilePath, "Inf\\Netloop.inf");
>
>             string parameter = "install " + IniFilePath + " *MSLOOP";
>
>
>
>             string resp = ConsoleCmd.run(Constants.File_DevconFile,
> parameter, 2);
>
>             if (!resp.Contains("Drivers updated successfully"))
>
>             {
>
>                 DebugLog.WriteLine("ERROR : Failed to create loop back
> NIC ", true);
>
>                 return false;
>
>             }
>
>
>
>             return retVal;
>
>         }
>
>
>
>
>
>
>
> Regards,
>
> Vince
>
>
>
>
>
> *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
> *Sent:* 28 February 2016 15:31
> *To:* Luff, Vince
> *Cc:* dev () nmap org; Piekarski, Pawel
> *Subject:* Re: NPCAP Blue screen
>
>
>
> Hi Luff,
>
>
>
> Using reverse engineering technique, I'm able to analyze those dump files
> now.
>
>
>
> The 1st dump file is a KERNEL_MODE_EXCEPTION_NOT_HANDLED_M BSoD. It's
> caused by the NdisFOidRequest call in NPF_GetDeviceMTU function of
> Openclos.c. This is a known issue. I posted a question in stackoverflow:
> http://stackoverflow.com/questions/31869373/get-system-service-exception-bluescreen-when-starting-wireshark-on-win10-vmware.
> But still no answers. I want to know which virtual machine software you are
> using. VMware Workstation or VirtualBox, and its version? What are the
> exact steps you used to bind a Microsoft Loopback Adapter to your virtual
> machine? I know that virtualization softwares usually create some adapters
> for networking. But I didn't know that they can use Microsoft Loopback
> Adapter?
>
>
>
> The 2nd and 3rd dump files points to the same issue, which is caused by a
> illegal memory read bug in the driver. I have fixed this bug in:
> https://github.com/nmap/npcap/commit/eafa222e8367024c96c6c17fb7f6db9a25658863
> .
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
>
>
> On Sun, Feb 28, 2016 at 6:34 PM, 食肉大灰兔V5 <hsluoyz () gmail com> wrote:
>
> Hi Luff,
>
>
>
> First thanks for the report!
>
>
>
> Unfortunately Npcap has updated to VS2015 Update1, WDK 10 10586 and SDK 10
> 10586 since version 0.05 R11. Versions prior to 0.05 R11 needs to be built
> with the legacy WDK 10 10240 and SDK 10 10240, which I both already
> uninstalled (and I don't have those installers kept). Currently Microsoft
> only has the link to the latest WDK and SDK (which is 10586). So it's
> impossible for me to recompile that version's binaries for now. So without
> those built debug symbols I can't analyze the cause of the BSoD. So I
> wonder would you mind to reproduce the BSoD in a recent Npcap version? The
> latest 0.05 R14 is best. But a version not prior than 0.05 R11 is also OK.
> Thanks!
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
> On Tue, Feb 23, 2016 at 5:57 PM, Luff, Vince <vince.luff () anite com> wrote:
>
> Hello,
>
>
>
> I am using Npcap on Windows7 32bit SP1, and have seen a blue screen 3
> times over the past month. I’ve attached the .dmp files:
>
>
>
> *Date of crash*                     *NPCAP version  *                *DMP
> file*                                               *Suspected file*
>
> 29 Jan                                    0.05 r3
>                                 012916-15038-01.dmp
> npf.sys
>
> 4 Feb                                     0.05 r3
>                                 020416-15428-01.dmp
> npf.sys
>
> 10 Feb                                   0.05 r10
>                 curr021016-18252-01.dmp            npcap.sys
>
>
>
>
>
> When these crashes happened I was tracing two adaptors simultaneously
> using tshark. One of them was a Microsoft Loopback Adapter which is used
> for a virtual machine.
>
> Since I got the third crash I disabled tracing on the Microsoft Loopback
> Adapter and have not had a blue screen since.
>
>
>
> Please let me know if I should provide more information.
>
>
>
> By the way, I work for telecoms company Anite Telecoms in the UK.
>
>
>
> Regards,
>
> Vince Luff.
>
>
>
>
>
> Please refer to www.anite.com for individual Anite company details. The
> contents of this e-mail and any attachments are for the intended recipient
> only. If you are not the intended recipient, you are not authorised to and
> must not disclose, copy, distribute, or retain this message or any part of
> it. It may contain information which is confidential and/or covered by
> legal professional or other privilege. Contracts cannot be concluded with
> us nor legal service effected by email.
>
> Anite Ltd.
> Registered in England No.1798114
> Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
> Kingdom
> VAT Registration No. GB 787 418187
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
>
>
>
>
>
>
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>.
>
>
>
> Please refer to www.anite.com for individual Anite company details. The
> contents of this e-mail and any attachments are for the intended recipient
> only. If you are not the intended recipient, you are not authorised to and
> must not disclose, copy, distribute, or retain this message or any part of
> it. It may contain information which is confidential and/or covered by
> legal professional or other privilege. Contracts cannot be concluded with
> us nor legal service effected by email.
>
> Anite Ltd.
> Registered in England No.1798114
> Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
> Kingdom
> VAT Registration No. GB 787 418187
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.
>
>
>
>
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>.
>
>
>
> Please refer to www.anite.com for individual Anite company details. The
> contents of this e-mail and any attachments are for the intended recipient
> only. If you are not the intended recipient, you are not authorised to and
> must not disclose, copy, distribute, or retain this message or any part of
> it. It may contain information which is confidential and/or covered by
> legal professional or other privilege. Contracts cannot be concluded with
> us nor legal service effected by email.
>
> Anite Ltd.
> Registered in England No.1798114
> Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
> Kingdom
> VAT Registration No. GB 787 418187
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.
>
>
>
>
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk/>.
>
>
> Please refer to www.anite.com for individual Anite company details. The
> contents of this e-mail and any attachments are for the intended recipient
> only. If you are not the intended recipient, you are not authorised to and
> must not disclose, copy, distribute, or retain this message or any part of
> it. It may contain information which is confidential and/or covered by
> legal professional or other privilege. Contracts cannot be concluded with
> us nor legal service effected by email.
>
> Anite Ltd.
> Registered in England No.1798114
> Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
> Kingdom
> VAT Registration No. GB 787 418187
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/