RE: NPCAP FilterClass question

["Luff, Vince" <vince.luff () anite com>]

Hi Yang,

Thank you very much for the .exe.  This works well and is a big help to me.
Ok we will sign using our own certificate.

I have a few questions:


·         When uninstalling Npcap, if I have wradvs (https://sourceforge.net/projects/wradvs ) running it says:

“Trying to stop the npf service”  -> “Failed to stop the npf service, stop uninstallation now. Please stop using Npcap 
first”.

I have to stop wradvs to allow the uninstall to proceed. Is this intentional behaviour?

Uninstall of WinPCAP allows the uninstall to proceed in this case but requests a reboot.


·         After uninstalling Npcap the Npcap driver remains on the NIC properties page. Shouldn’t the uninstall remove 
the driver also?



·         Small issue. I noticed that some of the text in the installer is not shown correctly:
[cid:image001.png@01D175FF.8DF307C0]


Regards,
Vince


From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: 04 March 2016 01:34
To: Luff, Vince
Cc: dev () nmap org; Piekarski, Pawel
Subject: Re: NPCAP FilterClass question

Hi Luff,


On Fri, Mar 4, 2016 at 2:38 AM, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hi again Yang,

My colleague, Pawel has some questions for you below.

Regards,
Vince


==============
Hi Yang / PCAP Dev,

I’m using npcap-0.06 along with wireshark to capture the traffic flowing through our custom virtual network interface.
In order to simulate real network conditions like packet loss I use Microsoft Network Emulator built upon Microsoft 
VSTS Network Emulation NDIS6 Driver. This driver comes with Microsoft Test Agent for Visual Studio (See the Tools for 
Visual Studio 2015 section - https://www.visualstudio.com/downloads ).

The goal is to capture the outgoing traffic (I don’t really care about incoming) after it is impaired by Network 
Emulator filter but the trouble is that the FilterClass of NPCAP is “compression” whereas VSTS is “failover” so VSTS 
ends up underneath NPCAP and so wireshark logs the unimpaired traffic.

Notice: Make sure the outgoing traffic is NOT sent out by Npcap. Npcap always "receives" the packets sent by itself 
inside the driver ("receive" means can be captured by softwares like Wireshark). So you will always see intact outgoing 
packets sent by Npcap.

I worked it around by tweaking npcap class to “diagnostic” so filters stack up as I need.  Does this sound sensible?

I think this idea is viable. Just changing the value and rebuilding the driver should be OK.



Eventually npcap will be installed in our product by automated process possibly on x64 at some point so I’ll need to 
re-sign the driver and .INF file with our own certificate.
Can I ask:

•         Would you be willing help me out by sending me a test build with the .inf file tweaked with FilterClass 
“diagnostic”?

OK. See the attachment. Remember to remove the suffix in the file name.


Just change the value and rebuilt the driver.


•         In the long term, are you happy for us to re-sign the driver and .INF file with our own certificate?

As Fyodor said in: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/LICENSE-FOR-NPCAP-BINARIES

Npcap is open source and you can find the source code at our Github: https://github.com/nmap/npcap

We don't currently permit redistribution of the binaries which are signed by the Nmap Project (Insecure.Com LLC) using 
our signing certificate.  This is due to concerns that our signing certificate could possibly be revoked if malware or 
other shady software was to include these binaries which are signed by us.  We suggest signing Npcap with your own 
certificate and distributing that instead.

If you do wish to distribute our signed Npcap binaries with your legitimate software, please mail fyodor () nmap 
org<mailto:fyodor () nmap org>.  We may be able to make exceptions.  We also plan to look into the ramifications of a 
less restrictive redistribution policy as soon as we get a chance.

So you are encouraged to distribute Npcap signed by your own cert.


On the other note: Blue screens reported by my colleague Vince Luff don’t occur anymore.

Good. No need to hack with Virtual PC then.


Cheers,
Yang



Best Regards

Pawel Piekarski







Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.


Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are 
for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not 
disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential 
and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service 
effected by email.  

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/