RE: npcap horror story

["Rob Nicholls" <robert () robnicholls co uk>]

Hi Mike, Yang,



I appreciate this may not be particularly helpful, but I’ve yet to
encounter any issues on Windows 7 using Npcap.



I did briefly have similar issues with lo0 on a Windows 8 VM, but this was
resolved after restarting Windows and reinstalling Npcap. I haven’t had any
issues on any other Windows system, both native installs and virtual
machines, while using the default installation settings.



The most exotic setup I’ve used so far has been a laptop running a fully
patched Windows 7 Pro x64 with Intel wired and wireless adapters, a
VirtualBox Host-Only Network virtual adapter, and a Check Point Virtual
Network Adapter (used by SecuRemote). The Intel Ethernet adapter was even
configured with a dozen virtual interfaces as I’d configured multiple
VLANs. Most of the scans were performed with only about 4 adapters enabled.
The host also had commercial anti-virus software installed. I’ve run
multiple scans, against 1 host through to scanning 40 hosts, performing
default and full TCP and UDP scans. I’ve also run scans against 127.0.0.1.
The host also had WinPcap installed, and Wireshark still worked fine. Npcap
with NMAP 7.25BETA1 has worked fine for me all week.



I’ve also built a Windows 7 Enterprise x86 VM (no Service Pack, no
patches), installed Nmap and Npcap, and run a few scans. Again, I’ve not
experienced any issues (other than Zenmap doesn’t show its icon in the
shortcut for some reason). After installing Nmap and Npcap I opened up the
Command Prompt and ran “nmap 127.0.0.1 -vv -A” and got back expected
results after 95 seconds. An almost identical scan against one of my own
servers on the Internet gave expected results after 66 seconds.



The Npcap local loopback interface on both Windows 7 systems showed a
10.0Mbps connection (with an autoconfig IP). I do see the LoopbackAdapter
registry keys (with valid values). If you don’t have the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\LoopbackAdapter
then something is presumably going wrong during the installation of Npcap
(especially as it looks like it copies the key from Software\Npcap to the
Services\npcap key).



Yang, from skim reading the Npcap NSIS file, it looks like the first key is
created by either NPFInstall.exe or NPFInstall2.exe, which are called a few
times using ExecWait. I don’t see any checks after the file’s executed,
other than whether the ExecWait of the executable returns “0”. The
installer itself doesn’t seem to do much error checking at times. Is it
possible to check within the installer, or perhaps in the NSIS script, that
all of the actions have been performed at each step, and produce any
detailed error messages if something has gone wrong during the installation?
I mostly see a series of Extract and Execute lines interspersed with a few
lines such as “Writing service options to registry”, but presumably we
don’t check a valid registry value is present otherwise Mike would have
seen an error during installation if his registry keys are missing.



If I could replicate Mike’s original issues I’d be happy to help Yang
debug the problem, but at the moment it looks like something specific to
Mike’s particular system.



Mike, I see a similar “Error in OpenService” message twice if I run Nmap
7.25BETA1 after deleting the npcap service on my clean Windows 7 test VM. If
I subsequently install WinPcap I only get the error message once. I presume
the error occurs once checking for the npcap service and a second time
looking for WinPcap (the npf service). It sounds like you may have
uninstalled or deleted Npcap and left WinPcap installed if you only get it
once.



It might make sense for someone to modify Nmap to only show that error if
both npcap and npf are missing, or perhaps relegate it all to debug output?
Otherwise anyone sticking with WinPcap will always see the error when Nmap
checks for npcap.



Rob



From: dev [mailto:dev-bounces () nmap org] On Behalf Of Mike .
Sent: 28 July 2016 19:04
To: nmap-group <dev () nmap org>
Subject: npcap horror story



i call it a horror story because of all that i have had to go through in
geting it to work, which it never did. so i deleted both adapters, rebooted
and now nmap tells me this when i try and scan



Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-28 12:57 Central
Dayligh

t Time

Error in OpenService





would be nice if it told me what service it was trying to open. anyway, done
with npcap and the hoop jumping required to get it to work. i can live
without scanning loopback. it's not the end of the world. my only ? is
this...did anyone ever test this on win7?



Mike

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/