Re: Replicable problem with later versions of npcap

["Kurt Buff - GSEC, GCIH" <kurt.buff () gmail com>]

All,

I just noticed that I had only replied to Daniel previously.

I've sent to him the output of DiagReport and the minidump generated
by Driver Verifier - it forced a BSOD when I tried to uninstall npcap.

If there's anything else I can do to help this along, please let me know.

Thanks,

Kurt

On Thu, Apr 11, 2019 at 11:23 AM Daniel Miller <bonsaiviking () gmail com> wrote:
> Kurt,
>
> We've done some initial investigation into this issue, but we haven't identified a cause yet. We'll be doing our own 
> testing with VMware soon, but if you can provide a bit more information, it would be very helpful. First, we need the 
> output of DiagReport for your system (https://nmap.org/npcap/guide/npcap-issues.html#npcap-issues-diagreport).
>
> Next, we'd like to see if we can leverage built-in Windows diagnostic tools to force a bugcheck (BSoD) which would 
> point directly to the problem. This is preferable to differential diagnosis based on behavior which can take a long 
> time. To do this, we need you to run Driver Verifier and create default settings for npcap.sys and/or npf.sys. Here 
> is the information about Driver Verifier: 
> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/driver-verifier
>
> Thanks!
> Dan
>
> On Thu, Apr 4, 2019 at 12:09 PM Daniel Miller <bonsaiviking () gmail com> wrote:
> > Kurt,
> >
> > Thanks for reporting this. We'll look into it, and will be tracking the issue at http://issues.nmap.org/1541
> >
> > Dan
> >
> > On Wed, Mar 27, 2019 at 1:58 PM Kurt Buff - GSEC, GCIH <kurt.buff () gmail com> wrote:
> > > All,
> > >
> > > Found a problem with npcap .0.99-r8 (and possibly r7, but I'm not sure
> > > of that) up to and including 0.992, with suspended VMs under VMware
> > > Workstation Pro.
> > >
> > > Configuration:
> > > -Lenovo T460p, 32gb RAM with Intel Dual Band Wireless AC 8260 adapter
> > > (I do not use the wired adapter, but it is, for completeness sake, an
> > > Intel 1219-LM), all current drivers (per the Lenovo update utility)
> > > -Win10 1709, fully patched except for this month's patches, coming soon.
> > > - VMWare Workstation Pro, 14.1.6 build-12368378
> > > - A VM running Win10 1709 (I have a couple of other VMs, but have not
> > > tested them, as I use them infrequently) in bridged mode.
> > > - I normally access the VM via RDP from the host.
> > >
> > > On the laptop host OS, I upgraded Wireshark to 3.0.0 yesterday (bear
> > > with me) and accepted the upgrade of npcap to 0.99-r8, and all seemed
> > > well. However, per my normal practice, I suspended the VM, then
> > > hibernated the laptop and found upon arriving home that evening that
> > > my Win10 1709 VM could not touch the network. The VM was unchanged, no
> > > upgrades (it has npcap 0.99-r8, but I don't believe it's involved).
> > > Once home, I woke up the laptop and unsuspended the VM, and I could
> > > not ping the VM from the laptop, nor could the VM see the network when
> > > I logged into the console via VMware.
> > >
> > > I then uninstalled Wireshark and npcap, and the VM saw the network
> > > immediately. I was then able to install npcap, and the VM still
> > > functioned. I didn't install either Wireshark or nmap, just npcap. At
> > > the end of the evening, I suspended the VM again, and hibernated the
> > > laptop.
> > >
> > > I then tried again, suspending/unsuspending the VM and again npcap
> > > prevented the newly unsuspended VM from seeing the network, and
> > > uninstalling npcap gave immediate access to the network for the VM.
> > >
> > > I was able to replicate the problem again today, as I fired up the
> > > laptop from hibernation, then unsuspended the VM, and the VM wasn't
> > > able to connect to the network. Again, as soon as I removed npcap
> > > 0.992, the VM was on the network.
> > >
> > > In all cases, the host OS had no problems with networking, other than
> > > not being able to see the VM, and the VM not being able to see its
> > > network.
> > >
> > > If any more info is needed, please let me know, as i'd like to help
> > > resolve this problem.
> > >
> > > Thanks,
> > >
> > > Kurt
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/