Re: NPCAP FilterClass question

[食肉大灰兔V5 <hsluoyz () gmail com>]

Hi Luff,


On Fri, Mar 4, 2016 at 7:41 PM, Luff, Vince <vince.luff () anite com> wrote:

> Hi Yang,
>
>
>
> Thank you very much for the .exe.  This works well and is a big help to me.
>
> Ok we will sign using our own certificate.
>
>
>
> I have a few questions:
>
>
>
> ·         When uninstalling Npcap, if I have wradvs (
> https://sourceforge.net/projects/wradvs ) running it says:
>
> “Trying to stop the npf service”  -> “Failed to stop the npf service, stop
> uninstallation now. Please stop using Npcap first”.
>
> I have to stop wradvs to allow the uninstall to proceed. Is this
> intentional behaviour?
>
> Uninstall of WinPCAP allows the uninstall to proceed in this case but
> requests a reboot.

Yes. If Npcap is currently in use, then the uninstallation will fail with
the message: “Failed to stop the npf service, stop uninstallation now.
Please stop using Npcap first”.

There are many differences between NDIS 5 (used by WinPcap) and NDIS 6
(used by Npcap). The most significant one is that NDIS 6 only allows a
driver to attach to an adapter once. This means Npcap has to handle all the
user-mode multiplexing by itself. When the driver uninstalls, all adapters
provided by NDIS are detached without exception or waiting until reboot. So
even if there's a way to let Npcap driver uninstall itself after reboot,
the current capture sessions will still cease. So current handling of not
allowing uninstallation is reasonable.


> ·         After uninstalling Npcap the Npcap driver remains on the NIC
> properties page. Shouldn’t the uninstall remove the driver also?

Have you uninstalled successfully? You can paste your uninstall log here.
PS: Showing the above message is definitely not successful.

> ·         Small issue. I noticed that some of the text in the installer
> is not shown correctly:
OK. In my testing machines, the wording didn't exceed the window size. I
will shorten the sentence then.

Cheers,
Yang


> Regards,
>
> Vince
>
>
>
>
>
> *From:* 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
> *Sent:* 04 March 2016 01:34
> *To:* Luff, Vince
> *Cc:* dev () nmap org; Piekarski, Pawel
> *Subject:* Re: NPCAP FilterClass question
>
>
>
> Hi Luff,
>
>
>
>
>
> On Fri, Mar 4, 2016 at 2:38 AM, Luff, Vince <vince.luff () anite com> wrote:
>
> Hi again Yang,
>
>
>
> My colleague, Pawel has some questions for you below.
>
>
>
> Regards,
>
> Vince
>
>
>
>
>
> ==============
>
> Hi Yang / PCAP Dev,
>
>
>
> I’m using npcap-0.06 along with wireshark to capture the traffic flowing
> through our custom virtual network interface.
>
> In order to simulate real network conditions like packet loss I use
> Microsoft Network Emulator built upon Microsoft VSTS Network Emulation
> NDIS6 Driver. This driver comes with Microsoft Test Agent for Visual Studio
> (See the Tools for Visual Studio 2015 section -
> https://www.visualstudio.com/downloads ).
>
>
>
> The goal is to capture the outgoing traffic (I don’t really care about
> incoming) after it is impaired by Network Emulator filter but the trouble
> is that the FilterClass of NPCAP is “compression” whereas VSTS is
> “failover” so VSTS ends up underneath NPCAP and so wireshark logs the
> unimpaired traffic.
>
>
>
> Notice: Make sure the outgoing traffic is NOT sent out by Npcap. Npcap
> always "receives" the packets sent by itself inside the driver ("receive"
> means can be captured by softwares like Wireshark). So you will always see
> intact outgoing packets sent by Npcap.
>
>
>
> I worked it around by tweaking npcap class to “diagnostic” so filters
> stack up as I need.  Does this sound sensible?
>
>
>
> I think this idea is viable. Just changing the value and rebuilding the
> driver should be OK.
>
>
>
>
>
>
>
> Eventually npcap will be installed in our product by automated process
> possibly on x64 at some point so I’ll need to re-sign the driver and .INF
> file with our own certificate.
>
> Can I ask:
>
> ·         Would you be willing help me out by sending me a test build
> with the .inf file tweaked with FilterClass “diagnostic”?
>
>
>
> OK. See the attachment. Remember to remove the suffix in the file name.
>
>
>
>
>
> Just change the value and rebuilt the driver.
>
>
>
> ·         In the long term, are you happy for us to re-sign the driver
> and .INF file with our own certificate?
>
>
>
> As Fyodor said in:
> https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/LICENSE-FOR-NPCAP-BINARIES
>
>
>
> *Npcap is open source and you can find the source code at our Github:
> https://github.com/nmap/npcap <https://github.com/nmap/npcap>*
>
>
>
> *We don't currently permit redistribution of the binaries which are signed
> by the Nmap Project (Insecure.Com LLC) using our signing certificate.  This
> is due to concerns that our signing certificate could possibly be revoked
> if malware or other shady software was to include these binaries which are
> signed by us.  We suggest signing Npcap with your own certificate and
> distributing that instead.*
>
>
>
> *If you do wish to distribute our signed Npcap binaries with your
> legitimate software, please mail fyodor () nmap org <fyodor () nmap org>.  We may
> be able to make exceptions.  We also plan to look into the ramifications of
> a less restrictive redistribution policy as soon as we get a chance.*
>
>
>
> So you are encouraged to distribute Npcap signed by your own cert.
>
>
>
>
>
> On the other note: Blue screens reported by my colleague Vince Luff don’t
> occur anymore.
>
>
>
> Good. No need to hack with Virtual PC then.
>
>
>
>
>
> Cheers,
>
> Yang
>
>
>
>
>
>
>
> *Best Regards*
>
>
> *Pawel Piekarski*
>
>
>
>
>
>
>
>
>
>
>
> Please refer to www.anite.com for individual Anite company details. The
> contents of this e-mail and any attachments are for the intended recipient
> only. If you are not the intended recipient, you are not authorised to and
> must not disclose, copy, distribute, or retain this message or any part of
> it. It may contain information which is confidential and/or covered by
> legal professional or other privilege. Contracts cannot be concluded with
> us nor legal service effected by email.
>
> Anite Ltd.
> Registered in England No.1798114
> Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
> Kingdom
> VAT Registration No. GB 787 418187
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.
>
>
>
>
> Please refer to www.anite.com for individual Anite company details. The
> contents of this e-mail and any attachments are for the intended recipient
> only. If you are not the intended recipient, you are not authorised to and
> must not disclose, copy, distribute, or retain this message or any part of
> it. It may contain information which is confidential and/or covered by
> legal professional or other privilege. Contracts cannot be concluded with
> us nor legal service effected by email.
>
> Anite Ltd.
> Registered in England No.1798114
> Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United
> Kingdom
> VAT Registration No. GB 787 418187
>
> Scanned for viruses by Mimecast <http://www.mimecast.co.uk>.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/