Wireshark mailing list archives

Re: Npcap 0.03 call for test

From: Yang Luo <hsluoyb () gmail com>
Date: Sat, 15 Aug 2015 14:47:43 +0800

Hi Jim, Pascal,

I have added loopback packet sending support in 0.03-r5 using several
commits. As you said, it should be one commit in 0.03-r5 that leads to
this IRQL_NOT_LESS_OR_EQUAL BSoD, but I couldn't reproduce it. So I have
separated 0.03-r5 version into 6 sub-versions in:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap_history_versions/. Maybe
you would like to test from which sub-version this BSoD starts to happen.
This 6 sub-version installers corresponds to
https://github.com/nmap/npcap/commits/master as below, so it will be easier
for me to locate the position. Thanks!

9132448
npcap-nmap-0.03-r5.exe

1a99e71
npcap-nmap-0.03-r5-2.exe

a70d4eb
npcap-nmap-0.03-r5-3.exe

fdaaa13
npcap-nmap-0.03-r5-4.exe

38ab966
npcap-nmap-0.03-r5-5.exe

beb669e
npcap-nmap-0.03-r5-6.exe


Cheers,
Yang


On Tue, Aug 11, 2015 at 11:43 AM, Jim Young <jyoung () gsu edu> wrote:

Hello Yang,


I installed npcap-nmap-0.03-r6.exe but am still getting the IRQL_NOT_LESS_OR_EQUAL
(a) BSoD on my Windows 8.1. system immediately when I start Wireshark.


I went back retested 0.03-r3, 0.03-r4 and 0.03-r5 to confirm that its only
r5 and r6 that trigger the immediate BSoD on my system.


Here's the last BSoD WinDbg output when using Npcap 0.03-r6.


---------


2: kd> .symfix C:\Symbols

2: kd> .reload

Loading Kernel Symbols

...............................................................

................................................................

........................................

Loading User Symbols

.....................................

Loading unloaded module list

........

2: kd> !analyze -v


*******************************************************************************

*
    *

*                        Bugcheck Analysis
   *

*
    *


*******************************************************************************


IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address
at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 000000000000a620, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000001, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
chips which support this level of status)

Arg4: fffff8013ff660cc, address which referenced memory


Debugging Details:

------------------


*** ERROR: Module load completed but symbols could not be loaded for
npf.sys

*** ERROR: Symbol file could not be found.  Defaulted to export symbols
for packet.dll -


WRITE_ADDRESS: unable to get nt!MmNonPagedPoolStart

unable to get nt!MmSizeOfNonPagedPoolInBytes

 000000000000a620


CURRENT_IRQL:  2


FAULTING_IP:

nt!KeAcquireSpinLockRaiseToDpc+1c

fffff801`3ff660cc f0480fba2900    lock bts qword ptr [rcx],0


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT


BUGCHECK_STR:  AV


PROCESS_NAME:  dumpcap.exe


ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre


TRAP_FRAME:  ffffd00035417600 -- (.trap 0xffffd00035417600)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000002 rbx=0000000000000000 rcx=000000000000a620

rdx=ffffe001230a2900 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8013ff660cc rsp=ffffd00035417790 rbp=ffffd00035417b80

 r8=ffffe0011fed41a0  r9=000000000000000e r10=0000000000000801

r11=ffffe00122517440 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei pl zr na po nc

nt!KeAcquireSpinLockRaiseToDpc+0x1c:

fffff801`3ff660cc f0480fba2900    lock bts qword ptr [rcx],0
ds:00000000`0000a620=????????????????

Resetting default scope


LAST_CONTROL_TRANSFER:  from fffff8013ffea7e9 to fffff8013ffdeca0


STACK_TEXT:

ffffd000`354174b8 fffff801`3ffea7e9 : 00000000`0000000a 00000000`0000a620
00000000`00000002 00000000`00000001 : nt!KeBugCheckEx

ffffd000`354174c0 fffff801`3ffe903a : 00000000`00000001 00000000`00000000
00000000`00000000 ffffd000`35417730 : nt!KiBugCheckDispatch+0x69

ffffd000`35417600 fffff801`3ff660cc : 00000000`00000001 ffffc002`00000000
ffffc002`018bf601 00000000`00000000 : nt!KiPageFault+0x23a

ffffd000`35417790 fffff801`688d7186 : 00000000`00000000 ffffe001`230474c0
00000000`00000001 ffffd000`35417b80 : nt!KeAcquireSpinLockRaiseToDpc+0x1c

ffffd000`354177c0 fffff801`688d7a24 : 00000000`00001ef0 ffffe001`230a2900
00000000`00000000 ffffd000`00000000 : npf+0x3186

ffffd000`354177f0 fffff801`402b377f : 00000000`00000001 ffffe001`230a2900
ffffe001`230a2900 00000000`00000001 : npf+0x3a24

ffffd000`35417880 fffff801`402b2d22 : ffffd000`35417a38 00000000`00000000
00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`35417a20 fffff801`3ffea4b3 : ffffe001`21d2c080 ffffd000`001f0003
00000017`cb91ca98 00000017`00000000 : nt!NtDeviceIoControlFile+0x56

ffffd000`35417a90 00007ffe`449c123a : 00007ffe`41b65fe3 0000da4a`605d0f0d
00000000`00000003 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000017`cb91ca48 00007ffe`41b65fe3 : 0000da4a`605d0f0d 00000000`00000003
00000000`00000000 00000000`00000013 : ntdll!NtDeviceIoControlFile+0xa

00000017`cb91ca50 00007ffe`42151bb0 : 00000000`00001ef0 00007ffe`4496713a
00000000`00000020 00000000`00000000 : KERNELBASE!DeviceIoControl+0x121

00000017`cb91cac0 00007ffe`399f3d65 : 00000017`cba14960 00000017`cb91cdb0
ffffffff`ffffffff 00000017`cb91cdb0 :
KERNEL32!DeviceIoControlImplementation+0x80

00000017`cb91cb10 00000017`cba14960 : 00000017`cb91cdb0 ffffffff`ffffffff
00000017`cb91cdb0 00000000`00000000 : packet+0x3d65

00000017`cb91cb18 00000017`cb91cdb0 : ffffffff`ffffffff 00000017`cb91cdb0
00000000`00000000 00000000`00000000 : 0x00000017`cba14960

00000017`cb91cb20 ffffffff`ffffffff : 00000017`cb91cdb0 00000000`00000000
00000000`00000000 00000017`cb91cb60 : 0x00000017`cb91cdb0

00000017`cb91cb28 00000017`cb91cdb0 : 00000000`00000000 00000000`00000000
00000017`cb91cb60 00000000`00000000 : 0xffffffff`ffffffff

00000017`cb91cb30 00000000`00000000 : 00000000`00000000 00000017`cb91cb60
00000000`00000000 00000017`cba14960 : 0x00000017`cb91cdb0



STACK_COMMAND:  kb


FOLLOWUP_IP:

npf+3186

fffff801`688d7186 4032ff          xor     dil,dil


SYMBOL_STACK_INDEX:  4


SYMBOL_NAME:  npf+3186


FOLLOWUP_NAME:  MachineOwner


MODULE_NAME: npf


IMAGE_NAME:  npf.sys


DEBUG_FLR_IMAGE_TIMESTAMP:  55c878a8


FAILURE_BUCKET_ID:  AV_npf+3186


BUCKET_ID:  AV_npf+3186


ANALYSIS_SOURCE:  KM


FAILURE_ID_HASH_STRING:  km:av_npf+3186


FAILURE_ID_HASH:  {cd892a8a-243d-2266-f935-8db54b10ab51}


Followup: MachineOwner

---------


Best regards,


Jim Y.



------------------------------
*From:* wireshark-dev-bounces () wireshark org <
wireshark-dev-bounces () wireshark org> on behalf of Yang Luo <
hsluoyb () gmail com>
*Sent:* Monday, August 10, 2015 06:40
*To:* Developer support list for Wireshark
*Subject:* Re: [Wireshark-dev] Npcap 0.03 call for test

Hi Jim, Pascal,

This IRQL_NOT_LESS_OR_EQUAL (a) BSoD seems to be caused by
NdisAcquireSpinLock call in function NPF_StartUsingOpenInstance has
referred to freed Open struct memory, I have tried to fix it in latest
installer, you may try it at:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r6.exe

Cheers,
Yang



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: Npcap 0.03 call for test, (continued)
- - - Re: Npcap 0.03 call for test Jim Young (Aug 03)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 05)
    - Re: Npcap 0.03 call for test Jim Young (Aug 06)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 15)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 06)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 06)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 06)
    - Re: Npcap 0.03 call for test Jim Young (Aug 06)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 10)
    - Re: Npcap 0.03 call for test Jim Young (Aug 10)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 14)