RE: npcap horror story

["Rob Nicholls" <robert () robnicholls co uk>]

Hi Mike,

 

Based on experience, Windows will display “Identifying” for a few seconds when a network adaptor thinks the connection 
is up (e.g. network cable is plugged in). I don’t think it should last more than a few seconds if everything’s working 
correctly.

 

I’ve not really looked into it, but I suspect when it says “Identifying” it may be trying to negotiate the speed of the 
link, then sending DHCP requests to get an IPv4 address and details of the router (and potentially DNS servers), as 
well as similar requests for IPv6, such as listening for Router Advertisement responses to its Router Solicitation 
requests or DHCPv6 responses. If you’re not using DHCP on an interface and you’ve set a static IP instead, I believe it 
also sends ARP requests for the IP before allowing Windows to use that “preferred” IP itself, in order to avoid IP 
conflicts. If you’re on a new network (e.g. it’s the first time Windows has seen that MAC address for the IP address of 
the router) you’ll usually be asked which type of network you’re on (unless you’ve already ticked the box to say treat 
all future networks as Public). I’m guessing you never see that and it’s stuck on “Identifying”. I get the impression 
that only generally happens when there’s a bad switch or cable, but I’m not sure why you’re seeing it with the virtual 
adaptor.

 

I did stumble upon a forum post that suggests the Bonjour service that comes with software such as iTunes can cause 
this problem. If you have the Bonjour service listed in services.msc it might be worth temporarily disabling it (and 
possibly restarting your computer). I’ve also seen a suggestion that the security update KB2862330 can also cause the 
issue you’re seeing, although I wouldn’t generally recommend uninstalling security updates! I doubt either of these are 
the cause, but you’re welcome to try them.

 

As for the Npcap installation options, as I’ve possibly mentioned before I’ve always gone with the default settings, 
with just the second checkbox (support loopback traffic) selected. I’ve left all the others blank. It appears that the 
Npcap installer also tells you when WinPcap is already installed and explicitly states that installing Npcap will 
uninstall WinPcap first when installing Npcap in WinPcap API-compatible mode.

 

Rob

 

From: Mike . [mailto:dmciscobgp () hotmail com] 
Sent: 28 July 2016 22:06
To: Rob Nicholls <robert () robnicholls co uk>
Subject: Re: npcap horror story

 

thank you so much for the lengthy feedback  seriously, not trying to be a pain w/ this, but i never knew i would run 
into these issues. so i will try one more time to reinstall npcap. now, please explain something. last time i ran the 
installer, i checked only the first option. am i also supposed to select that "API winpcap" thing at the botom as well? 
and no on the key. there is a STRING that says that, but not a key/folder 

 

Mike

 

*and again i ask what does "identifying"........ mean!!!??????????

 

  _____  

From: Rob Nicholls <robert () robnicholls co uk <mailto:robert () robnicholls co uk> >
Sent: Thursday, July 28, 2016 8:00 PM
To: 'Mike .'; '食肉大灰兔V5'
Cc: 'nmap-group'
Subject: RE: npcap horror story 

 

Hi Mike, Yang,

 

I appreciate this may not be particularly helpful, but I’ve yet to encounter any issues on Windows 7 using Npcap.

 

I did briefly have similar issues with lo0 on a Windows 8 VM, but this was resolved after restarting Windows and 
reinstalling Npcap. I haven’t had any issues on any other Windows system, both native installs and virtual machines, 
while using the default installation settings.

 

The most exotic setup I’ve used so far has been a laptop running a fully patched Windows 7 Pro x64 with Intel wired and 
wireless adapters, a VirtualBox Host-Only Network virtual adapter, and a Check Point Virtual Network Adapter (used by 
SecuRemote). The Intel Ethernet adapter was even configured with a dozen virtual interfaces as I’d configured multiple 
VLANs. Most of the scans were performed with only about 4 adapters enabled. The host also had commercial anti-virus 
software installed. I’ve run multiple scans, against 1 host through to scanning 40 hosts, performing default and full 
TCP and UDP scans. I’ve also run scans against 127.0.0.1. The host also had WinPcap installed, and Wireshark still 
worked fine. Npcap with NMAP 7.25BETA1 has worked fine for me all week.

 

I’ve also built a Windows 7 Enterprise x86 VM (no Service Pack, no patches), installed Nmap and Npcap, and run a few 
scans. Again, I’ve not experienced any issues (other than Zenmap doesn’t show its icon in the shortcut for some 
reason). After installing Nmap and Npcap I opened up the Command Prompt and ran “nmap 127.0.0.1 -vv -A” and got back 
expected results after 95 seconds. An almost identical scan against one of my own servers on the Internet gave expected 
results after 66 seconds.

 

The Npcap local loopback interface on both Windows 7 systems showed a 10.0Mbps connection (with an autoconfig IP). I do 
see the LoopbackAdapter registry keys (with valid values). If you don’t have the registry key 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\LoopbackAdapter then something is presumably going wrong 
during the installation of Npcap (especially as it looks like it copies the key from Software\Npcap to the 
Services\npcap key).

 

Yang, from skim reading the Npcap NSIS file, it looks like the first key is created by either NPFInstall.exe or 
NPFInstall2.exe, which are called a few times using ExecWait. I don’t see any checks after the file’s executed, other 
than whether the ExecWait of the executable returns “0”. The installer itself doesn’t seem to do much error checking at 
times. Is it possible to check within the installer, or perhaps in the NSIS script, that all of the actions have been 
performed at each step, and produce any detailed error messages if something has gone wrong during the installation? I 
mostly see a series of Extract and Execute lines interspersed with a few lines such as “Writing service options to 
registry”, but presumably we don’t check a valid registry value is present otherwise Mike would have seen an error 
during installation if his registry keys are missing.

 

If I could replicate Mike’s original issues I’d be happy to help Yang debug the problem, but at the moment it looks 
like something specific to Mike’s particular system.

 

Mike, I see a similar “Error in OpenService” message twice if I run Nmap 7.25BETA1 after deleting the npcap service on 
my clean Windows 7 test VM. If I subsequently install WinPcap I only get the error message once. I presume the error 
occurs once checking for the npcap service and a second time looking for WinPcap (the npf service). It sounds like you 
may have uninstalled or deleted Npcap and left WinPcap installed if you only get it once.

 

It might make sense for someone to modify Nmap to only show that error if both npcap and npf are missing, or perhaps 
relegate it all to debug output? Otherwise anyone sticking with WinPcap will always see the error when Nmap checks for 
npcap.

 

Rob

 

From: dev [mailto:dev-bounces () nmap org] On Behalf Of Mike .
Sent: 28 July 2016 19:04
To: nmap-group <dev () nmap org <mailto:dev () nmap org> >
Subject: npcap horror story

 

i call it a horror story because of all that i have had to go through in geting it to work, which it never did. so i 
deleted both adapters, rebooted and now nmap tells me this when i try and scan

 

Starting Nmap 7.25BETA1 (  <https://nmap.org> https://nmap.org ) at 2016-07-28 12:57 Central Dayligh


 <https://nmap.org/> Nmap: the Network Mapper - Free Security Scanner

nmap.org

Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool. Download open source software for Linux, Windows, 
UNIX, FreeBSD, etc.

 

t Time

Error in OpenService

 

 

would be nice if it told me what service it was trying to open. anyway, done with npcap and the hoop jumping required 
to get it to work. i can live without scanning loopback. it's not the end of the world. my only ? is this...did anyone 
ever test this on win7?

 

Mike

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/