npcap bug in Win7? With the npcap filter driver enabled, TX is prevented

["Frantisek Rysanek" <Frantisek.Rysanek () post cz>]

Dear polite NMAP developers,

I'm trying to ask about... what appears to be a bug in the npcap 
filter driver, that has occurred in Windows 7 on one machine that I 
have around...
It is an up-to-date Windows 7 64b desktop. Yesterday I installed a 
freshly downloaded Wireshark, probably 3.2.3. The wireshark installer 
has installed npcap along the way - I recall allowing the WiFi 
raw/monitor mode extensions and skipping the WinPcap compatibility 
API (not needed for Wireshark). The npcap version appears to be 
0.9989.
Yesterday, the machine kept working, with or without Wireshark 
running, kept surfing the web, reading emails, printing over LPR etc.

Today since the morning = after a power cycle, the user wasn't able 
to get online. No network connectivity. There would be L1 link, but 
DHCP would fail. So I started the Wireshark and I also kept an eye on 
the DHCP log at the server (out of band). At the culprit machine, we 
could see outgoing "DHCP discover" queries in Wireshark, we could see 
incoming broadcast traffic on that port, but there would be no 
incoming DHCP responses (offers). It turned out that the server could 
not see our "DHCP discover" queries. And, another bizzarre symptom: 
the TX packets counter in the culprit Windows, on the culprit LAN 
port, would show 0 packets physically transmitted. 
(Before this, my colleague tried inserting a different model NIC 
card, which did not help, and tried a different cable, and switch 
port, which did not help either - though initially he said that one 
other notebook would not link on the original cable and switch port, 
which later got rectified by cable replacement.)
Finally, I told him to go into the adapter properties in Windows and 
disable the npcap filter driver. 
Lo and behold, the DHCP handshake finally succeeded, and all has been 
well ever since.

I'm wondering if there have possibly been two incidents in the game:
1) a cable failure, which got rectified by replacing the cable
2) meanwhile, he has also replaced the NIC, so maybe the npcap filter 
driver did not bind correctly to the newly installed NIC adapter in 
Windows?

I should've thanked all the marvellous open-source developers in the 
first place, for wireshark, pcap and nmap - in no particular order. 
I feel shame for complaining about this marginal bug :-)
Have fun, keep coding, stay safe.

Any comments welcome.

Frank Rysanek

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/