RE: NPCAP FilterClass question

["Luff, Vince" <vince.luff () anite com>]

Hi Yang,

“devcon.exe remove *msloop”  worked - the loopback adapters were removed.
Even after issuing this command, uninstall of Npcap left the driver listed in the NIC properties page.

Regards,
Vince



From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: 07 March 2016 16:14
To: Luff, Vince
Cc: dev () nmap org; Piekarski, Pawel
Subject: Re: NPCAP FilterClass question

Hi Luff,

Try these steps:

1. Get the Devcon.exe tool by following the MSDN guide here: 
https://msdn.microsoft.com/en-us/library/windows/hardware/ff544707(v=vs.85).aspx

2. Launch a CMD and get Devcon.exe in your path.

3. Use "devcon.exe remove *msloop" command to remove all loopback adapters (including Npcap Loopback Adapter). If you 
didn't install other loopback adapters, this command is the fastest.

4. Or you can use "devcon.exe drivernodes *msloop" to get all loopback adapters and their IDs (like @ROOT\NET\0000). 
Get the ID of Npcap Loopback Adapter and run "devcon.exe remove THE_ID".


The "NPFInstall.exe -uw" command of Npcap is actually sharing the same code of Microsoft's Devcon.exe. So if 
Devcon.exe's removal fails too, it should be some kind of OS level issue.


Cheers,
Yang


On Mon, Mar 7, 2016 at 6:30 PM, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hi Yang,

First I tried NPFInstall.exe -uw
but this immediately closed the command window so I could not see the return code. So I re-installed Npcap and then 
issued command:

NPFInstall.exe -uw -v

I got a popup saying “Installation failed”. See screenshot:

[cid:image001.png@01D17944.024972C0]


After clicking OK it shows the following:
[cid:image002.png@01D17944.024972C0]


I have a question. What is the difference between the “win7 driver” and the “WFP callout driver” ?


Regards,
Vince




From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com<mailto:hsluoyz () gmail com>]
Sent: 04 March 2016 17:56

To: Luff, Vince
Cc: dev () nmap org<mailto:dev () nmap org>; Piekarski, Pawel
Subject: Re: NPCAP FilterClass question

Hi Luff,

You can execute NPFInstall.exe -uw and give me its return values. This is the actual move to uninstall the driver.

Cheers,
Yang


On Saturday, March 5, 2016, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hi Yang,

Here is what I see:

[cid:image003.png@01D17944.024972C0]

[cid:image004.png@01D17944.024972C0]

[cid:image005.png@01D17944.024972C0]

[cid:image006.png@01D17944.024972C0]

Regards,
Vince

From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: 04 March 2016 16:49
To: Luff, Vince
Cc: dev () nmap org<mailto:dev () nmap org>; Piekarski, Pawel
Subject: Re: NPCAP FilterClass question

Hi Luff,

Please try the latest Npcap 0.06 R4 at:
https://github.com/nmap/npcap/releases

In this version, the uninstaller won't close itself automatically. So you can have enough time to watch its log by 
clicking the "Show details" button.


Cheers,
Yang

On Fri, Mar 4, 2016 at 11:53 PM, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hi,

Where do I find the uninstall log?

Regards,
Vince


From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: 04 March 2016 12:13

To: Luff, Vince
Cc: dev () nmap org<mailto:dev () nmap org>; Piekarski, Pawel
Subject: Re: NPCAP FilterClass question

Hi Luff,


On Fri, Mar 4, 2016 at 7:41 PM, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hi Yang,

Thank you very much for the .exe.  This works well and is a big help to me.
Ok we will sign using our own certificate.

I have a few questions:


•         When uninstalling Npcap, if I have wradvs (https://sourceforge.net/projects/wradvs ) running it says:

“Trying to stop the npf service”  -> “Failed to stop the npf service, stop uninstallation now. Please stop using Npcap 
first”.

I have to stop wradvs to allow the uninstall to proceed. Is this intentional behaviour?

Uninstall of WinPCAP allows the uninstall to proceed in this case but requests a reboot.


Yes. If Npcap is currently in use, then the uninstallation will fail with the message: “Failed to stop the npf service, 
stop uninstallation now. Please stop using Npcap first”.

There are many differences between NDIS 5 (used by WinPcap) and NDIS 6 (used by Npcap). The most significant one is 
that NDIS 6 only allows a driver to attach to an adapter once. This means Npcap has to handle all the user-mode 
multiplexing by itself. When the driver uninstalls, all adapters provided by NDIS are detached without exception or 
waiting until reboot. So even if there's a way to let Npcap driver uninstall itself after reboot, the current capture 
sessions will still cease. So current handling of not allowing uninstallation is reasonable.


•         After uninstalling Npcap the Npcap driver remains on the NIC properties page. Shouldn’t the uninstall remove 
the driver also?

Have you uninstalled successfully? You can paste your uninstall log here. PS: Showing the above message is definitely 
not successful.



•         Small issue. I noticed that some of the text in the installer is not shown correctly:
[cid:image007.png@01D17944.024972C0]

OK. In my testing machines, the wording didn't exceed the window size. I will shorten the sentence then.

Cheers,
Yang



Regards,
Vince


From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: 04 March 2016 01:34
To: Luff, Vince
Cc: dev () nmap org<mailto:dev () nmap org>; Piekarski, Pawel
Subject: Re: NPCAP FilterClass question

Hi Luff,


On Fri, Mar 4, 2016 at 2:38 AM, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hi again Yang,

My colleague, Pawel has some questions for you below.

Regards,
Vince


==============
Hi Yang / PCAP Dev,

I’m using npcap-0.06 along with wireshark to capture the traffic flowing through our custom virtual network interface.
In order to simulate real network conditions like packet loss I use Microsoft Network Emulator built upon Microsoft 
VSTS Network Emulation NDIS6 Driver. This driver comes with Microsoft Test Agent for Visual Studio (See the Tools for 
Visual Studio 2015 section - https://www.visualstudio.com/downloads ).

The goal is to capture the outgoing traffic (I don’t really care about incoming) after it is impaired by Network 
Emulator filter but the trouble is that the FilterClass of NPCAP is “compression” whereas VSTS is “failover” so VSTS 
ends up underneath NPCAP and so wireshark logs the unimpaired traffic.

Notice: Make sure the outgoing traffic is NOT sent out by Npcap. Npcap always "receives" the packets sent by itself 
inside the driver ("receive" means can be captured by softwares like Wireshark). So you will always see intact outgoing 
packets sent by Npcap.

I worked it around by tweaking npcap class to “diagnostic” so filters stack up as I need.  Does this sound sensible?

I think this idea is viable. Just changing the value and rebuilding the driver should be OK.



Eventually npcap will be installed in our product by automated process possibly on x64 at some point so I’ll need to 
re-sign the driver and .INF file with our own certificate.
Can I ask:

•         Would you be willing help me out by sending me a test build with the .inf file tweaked with FilterClass 
“diagnostic”?

OK. See the attachment. Remember to remove the suffix in the file name.


Just change the value and rebuilt the driver.


•         In the long term, are you happy for us to re-sign the driver and .INF file with our own certificate?

As Fyodor said in: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/LICENSE-FOR-NPCAP-BINARIES

Npcap is open source and you can find the source code at our Github: https://github.com/nmap/npcap

We don't currently permit redistribution of the binaries which are signed by the Nmap Project (Insecure.Com LLC) using 
our signing certificate.  This is due to concerns that our signing certificate could possibly be revoked if malware or 
other shady software was to include these binaries which are signed by us.  We suggest signing Npcap with your own 
certificate and distributing that instead.

If you do wish to distribute our signed Npcap binaries with your legitimate software, please mail fyodor () nmap 
org<mailto:fyodor () nmap org>.  We may be able to make exceptions.  We also plan to look into the ramifications of a 
less restrictive redistribution policy as soon as we get a chance.

So you are encouraged to distribute Npcap signed by your own cert.


On the other note: Blue screens reported by my colleague Vince Luff don’t occur anymore.

Good. No need to hack with Virtual PC then.


Cheers,
Yang



Best Regards

Pawel Piekarski







Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.



Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.



Scanned for viruses by Mimecast<http://www.mimecast.co.uk/>.


Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.



Scanned for viruses by Mimecast<http://www.mimecast.co.uk/>.


Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.


Scanned for viruses by Mimecast<http://www.mimecast.co.uk/>.


Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.



Scanned for viruses by Mimecast<http://www.mimecast.co.uk/>.


Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are 
for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not 
disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential 
and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service 
effected by email.  

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/