Re: npcap horror story

[食肉大灰兔V5 <hsluoyz () gmail com>]

Hi Mike,

I think this is a very rare issue because no one can reproduce it now.
Personally I think the reason is that  you installed some incompatible
softwares. A stock Windows OS won't behave like this. So my suggestion is
that you prepare a stock OS, then install your softwares one by one, to see
which software causes this issue.

Another way is that providing a remote access to me, so I can log on to see
what happens.


Cheers,
Yang


On Sat, Jul 30, 2016 at 1:34 AM, Rob Nicholls <robert () robnicholls co uk>
wrote:

> Hi Mike,
>
>
>
> Based on experience, Windows will display “Identifying” for a few seconds
> when a network adaptor thinks the connection is up (e.g. network cable is
> plugged in). I don’t think it should last more than a few seconds if
> everything’s working correctly.
>
>
>
> I’ve not really looked into it, but I suspect when it says “Identifying”
> it may be trying to negotiate the speed of the link, then sending DHCP
> requests to get an IPv4 address and details of the router (and potentially
> DNS servers), as well as similar requests for IPv6, such as listening for
> Router Advertisement responses to its Router Solicitation requests or
> DHCPv6 responses. If you’re not using DHCP on an interface and you’ve set a
> static IP instead, I believe it also sends ARP requests for the IP before
> allowing Windows to use that “preferred” IP itself, in order to avoid IP
> conflicts. If you’re on a new network (e.g. it’s the first time Windows has
> seen that MAC address for the IP address of the router) you’ll usually be
> asked which type of network you’re on (unless you’ve already ticked the box
> to say treat all future networks as Public). I’m guessing you never see
> that and it’s stuck on “Identifying”. I get the impression that only
> generally happens when there’s a bad switch or cable, but I’m not sure why
> you’re seeing it with the virtual adaptor.
>
>
>
> I did stumble upon a forum post that suggests the Bonjour service that
> comes with software such as iTunes can cause this problem. If you have the
> Bonjour service listed in services.msc it might be worth temporarily
> disabling it (and possibly restarting your computer). I’ve also seen a
> suggestion that the security update KB2862330 can also cause the issue
> you’re seeing, although I wouldn’t generally recommend uninstalling
> security updates! I doubt either of these are the cause, but you’re welcome
> to try them.
>
>
>
> As for the Npcap installation options, as I’ve possibly mentioned before
> I’ve always gone with the default settings, with just the second checkbox
> (support loopback traffic) selected. I’ve left all the others blank. It
> appears that the Npcap installer also tells you when WinPcap is already
> installed and explicitly states that installing Npcap will uninstall
> WinPcap first when installing Npcap in WinPcap API-compatible mode.
>
>
>
> Rob
>
>
>
> *From:* Mike . [mailto:dmciscobgp () hotmail com]
> *Sent:* 28 July 2016 22:06
> *To:* Rob Nicholls <robert () robnicholls co uk>
> *Subject:* Re: npcap horror story
>
>
>
> thank you so much for the lengthy feedback [image: 😊] seriously, not
> trying to be a pain w/ this, but i never knew i would run into these
> issues. so i will try one more time to reinstall npcap. now, please explain
> something. last time i ran the installer, i checked only the first option.
> am i also supposed to select that "API winpcap" thing at the botom as well?
> and no on the key. there is a STRING that says that, but not a key/folder
>
>
>
> Mike
>
>
>
> *and again i ask what does "identifying"........ mean!!!??????????
>
>
> ------------------------------
>
> *From:* Rob Nicholls <robert () robnicholls co uk>
> *Sent:* Thursday, July 28, 2016 8:00 PM
> *To:* 'Mike .'; '食肉大灰兔V5'
> *Cc:* 'nmap-group'
> *Subject:* RE: npcap horror story
>
>
>
> Hi Mike, Yang,
>
>
>
> I appreciate this may not be particularly helpful, but I’ve yet to
> encounter any issues on Windows 7 using Npcap.
>
>
>
> I did briefly have similar issues with lo0 on a Windows 8 VM, but this was
> resolved after restarting Windows and reinstalling Npcap. I haven’t had any
> issues on any other Windows system, both native installs and virtual
> machines, while using the default installation settings.
>
>
>
> The most exotic setup I’ve used so far has been a laptop running a fully
> patched Windows 7 Pro x64 with Intel wired and wireless adapters, a
> VirtualBox Host-Only Network virtual adapter, and a Check Point Virtual
> Network Adapter (used by SecuRemote). The Intel Ethernet adapter was even
> configured with a dozen virtual interfaces as I’d configured multiple
> VLANs. Most of the scans were performed with only about 4 adapters enabled.
> The host also had commercial anti-virus software installed. I’ve run
> multiple scans, against 1 host through to scanning 40 hosts, performing
> default and full TCP and UDP scans. I’ve also run scans against 127.0.0.1.
> The host also had WinPcap installed, and Wireshark still worked fine. Npcap
> with NMAP 7.25BETA1 has worked fine for me all week.
>
>
>
> I’ve also built a Windows 7 Enterprise x86 VM (no Service Pack, no
> patches), installed Nmap and Npcap, and run a few scans. Again, I’ve not
> experienced any issues (other than Zenmap doesn’t show its icon in the
> shortcut for some reason). After installing Nmap and Npcap I opened up the
> Command Prompt and ran “nmap 127.0.0.1 -vv -A” and got back expected
> results after 95 seconds. An almost identical scan against one of my own
> servers on the Internet gave expected results after 66 seconds.
>
>
>
> The Npcap local loopback interface on both Windows 7 systems showed a
> 10.0Mbps connection (with an autoconfig IP). I do see the LoopbackAdapter
> registry keys (with valid values). If you don’t have the registry key
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\LoopbackAdapter
> then something is presumably going wrong during the installation of Npcap
> (especially as it looks like it copies the key from Software\Npcap to the
> Services\npcap key).
>
>
>
> Yang, from skim reading the Npcap NSIS file, it looks like the first key
> is created by either NPFInstall.exe or NPFInstall2.exe, which are called a
> few times using ExecWait. I don’t see any checks after the file’s executed,
> other than whether the ExecWait of the executable returns “0”. The
> installer itself doesn’t seem to do much error checking at times. Is it
> possible to check within the installer, or perhaps in the NSIS script, that
> all of the actions have been performed at each step, and produce any
> detailed error messages if something has gone wrong during the
> installation? I mostly see a series of Extract and Execute lines
> interspersed with a few lines such as “Writing service options to
> registry”, but presumably we don’t check a valid registry value is present
> otherwise Mike would have seen an error during installation if his registry
> keys are missing.
>
>
>
> If I could replicate Mike’s original issues I’d be happy to help Yang
> debug the problem, but at the moment it looks like something specific to
> Mike’s particular system.
>
>
>
> Mike, I see a similar “Error in OpenService” message twice if I run Nmap
> 7.25BETA1 after deleting the npcap service on my clean Windows 7 test VM.
> If I subsequently install WinPcap I only get the error message once. I
> presume the error occurs once checking for the npcap service and a second
> time looking for WinPcap (the npf service). It sounds like you may have
> uninstalled or deleted Npcap and left WinPcap installed if you only get it
> once.
>
>
>
> It might make sense for someone to modify Nmap to only show that error if
> both npcap and npf are missing, or perhaps relegate it all to debug output?
> Otherwise anyone sticking with WinPcap will always see the error when Nmap
> checks for npcap.
>
>
>
> Rob
>
>
>
> *From:* dev [mailto:dev-bounces () nmap org <dev-bounces () nmap org>] *On
> Behalf Of *Mike .
> *Sent:* 28 July 2016 19:04
> *To:* nmap-group <dev () nmap org>
> *Subject:* npcap horror story
>
>
>
> i call it a horror story because of all that i have had to go through in
> geting it to work, which it never did. so i deleted both adapters, rebooted
> and now nmap tells me this when i try and scan
>
>
>
> Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-28 12:57 Central
> Dayligh
>
> Nmap: the Network Mapper - Free Security Scanner <https://nmap.org/>
>
> nmap.org
>
> Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool.
> Download open source software for Linux, Windows, UNIX, FreeBSD, etc.
>
>
>
> t Time
>
> Error in OpenService
>
>
>
>
>
> would be nice if it told me what service it was trying to open. anyway,
> done with npcap and the hoop jumping required to get it to work. i can live
> without scanning loopback. it's not the end of the world. my only ? is
> this...did anyone ever test this on win7?
>
>
>
> Mike
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/