Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: npcap bug in Win7? With the npcap filter driver enabled, TX is prevented

From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 14 May 2020 12:27:16 -0500
Frantisek,

Thanks for this bug report. This is most likely a known bug:
https://github.com/nmap/nmap/issues/1998

This causes network interruption on Windows 7, and was fixed in Npcap
0.9991. Please update Npcap to fix this issue.

Dan

On Thu, May 7, 2020 at 3:01 AM Frantisek Rysanek <Frantisek.Rysanek () post cz>
wrote:


Dear polite NMAP developers,

I'm trying to ask about... what appears to be a bug in the npcap
filter driver, that has occurred in Windows 7 on one machine that I
have around...
It is an up-to-date Windows 7 64b desktop. Yesterday I installed a
freshly downloaded Wireshark, probably 3.2.3. The wireshark installer
has installed npcap along the way - I recall allowing the WiFi
raw/monitor mode extensions and skipping the WinPcap compatibility
API (not needed for Wireshark). The npcap version appears to be
0.9989.
Yesterday, the machine kept working, with or without Wireshark
running, kept surfing the web, reading emails, printing over LPR etc.

Today since the morning = after a power cycle, the user wasn't able
to get online. No network connectivity. There would be L1 link, but
DHCP would fail. So I started the Wireshark and I also kept an eye on
the DHCP log at the server (out of band). At the culprit machine, we
could see outgoing "DHCP discover" queries in Wireshark, we could see
incoming broadcast traffic on that port, but there would be no
incoming DHCP responses (offers). It turned out that the server could
not see our "DHCP discover" queries. And, another bizzarre symptom:
the TX packets counter in the culprit Windows, on the culprit LAN
port, would show 0 packets physically transmitted.
(Before this, my colleague tried inserting a different model NIC
card, which did not help, and tried a different cable, and switch
port, which did not help either - though initially he said that one
other notebook would not link on the original cable and switch port,
which later got rectified by cable replacement.)
Finally, I told him to go into the adapter properties in Windows and
disable the npcap filter driver.
Lo and behold, the DHCP handshake finally succeeded, and all has been
well ever since.

I'm wondering if there have possibly been two incidents in the game:
1) a cable failure, which got rectified by replacing the cable
2) meanwhile, he has also replaced the NIC, so maybe the npcap filter
driver did not bind correctly to the newly installed NIC adapter in
Windows?

I should've thanked all the marvellous open-source developers in the
first place, for wireshark, pcap and nmap - in no particular order.
I feel shame for complaining about this marginal bug :-)
Have fun, keep coding, stay safe.

Any comments welcome.

Frank Rysanek

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: