Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Npcap 0.04 call for test

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Sun, 16 Aug 2015 17:55:15 +0200
Le 16 août 2015 3:39 PM, "Pascal Quantin" <pascal.quantin () gmail com> a
écrit :


Hi Yang,

2015-08-16 14:18 GMT+02:00 Yang Luo <hsluoyb () gmail com>:


Hi Pascal,

I think this BSoD is caused by the Winsock Kernel init code in Npcap

driver (NPF_WSKStartup call or NPF_WSKInitSockets call failed). I can't
reproduce it on my Win8.1 VM, Win10 VM and Win10 physical host. I used
VMware Workstation 11.1.2 for my VMs. I don't know which type your VM is?
There shouldn't be pretty much hardware difference between VMs. What
special software has you installed on your VM? The boldest idea is that you
provide a VM image that occurs this problem if you like.



I'm running a Windows 10 x64 VM running on Virtualbox 5.0 (with extension

pack) with just Wireshark 1.99.9 development version and Nmap installed. No
other specific software installed. In the VM system settings, I have
checked IO-APIC, PAE/NX, VT-x/AMD-V and nested paging options with 2
processors. The network adapter is using the default setting (NAT).

The VM is 41Gb so I will not be able to upload it unfortunately. But

maybe you could reproduce it with Virtualbox instead of VMware?

I just gave a try to Npcap 0.04 on a Windows 10 x64 host and everything is
working fine (no BSoD, loop back interface present and capturing data). So
it could be a bug on VirtualBox side (I just saw that they released version
5.0.2 and claim that Windows 10 is not officially supported yet due to
issues remaining) .
The ultimate test will be on the Windows 7 PC that was crashing before but
I cannot give it a try before the 1st of September.
BTW Npcap 0.04 still reports version 0.03 in the version string retrieved
by Wireshark.






Another way is that you try the installer with debug trace on below.

With DebugView on ("Capture Kernel" on and "Enable Verbose Kernel Output"
on), then install this debug version Npcap, launch Wireshark. The error
message should then be recorded in DebugView, save the text into the log
file and give it to me. Through this way I could know the failed function
call and its error code, while I don't know if this could give me enough
information to fix it, but it's an easier way.


Npcap 0.04 with debug trace on:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.04-debug.exe

DebugView:
https://technet.microsoft.com/en-us/Library/bb896647.aspx



Please find attached DebugView log. Please note that (as explained in my

previous email) I do not have the BSoD anymore with 0.04 but that instead
loopback adapter is no more listed in Wireshark.


Pascal.






Cheers,
Yang


On Sun, Aug 16, 2015 at 2:10 AM, Pascal Quantin <pascal.quantin () gmail com>

wrote:


Hi Yang,

2015-08-15 14:38 GMT+02:00 Yang Luo <hsluoyb () gmail com>:


Hi list,

Thanks for your tests for the first 3 versions of Npcap, with your

tests I am able to release Npcap 0.04 version as below:

1) Fixed the BAD_POOL_CALLER BSoD.
2) Updated Packet, NPFInstall, NPcapHelper projects to MSVC 2010,

updated driver to MSVC 2015.

3) Fixed the "Malformed Packet" bug when executing commands like "ping

-t -l 65500 127.0.0.1".

4) Added loopback packet sending support using Winsock Kernel

technique.

5) Fixed the bug that Npcap loopback adapter fails to capture packets

when capture filter is specified.

6) Fixed the bug that Npcap fails to capture all chargen protocol

packets.

7) Fixed the bug that Npcap didn't finish IRP when opening adapter

fails, this perhaps causes some issues, like the IRQL_NOT_LESS_OR_EQUAL
BSoD. I don't know if it is fixed, please let me know the result. (also the
results of the 6 sub-versions for 0.03-r5)


The latest Npcap installer is:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.04.exe

Previous versions can be found at:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap_history_versions/

I have tested this version Npcap under Wireshark 1.99.8 x64, in

Windows 8.1 x64 and Windows 10 x64.


Notice:
1) You need to try it under Win7 and later, and no need to change the

installation options, just click the "Next"s. Npcap installed in "WinPcap
Compatible Mode" is exclusive with WinPcap, so you must uninstall WinPcap
first (installer will prompt you this).

2) If you have installed WinPcap, better to reboot the PC after

uninstalling Winpcap and then install Npcap.


The README is:
https://github.com/nmap/npcap


Cheers,
Yang



On my Windows 10 x64 virtual machine, the BSoD appears with changeset

fdaaa13 (npcap-nmap-0.03-r5-4) and happens with all subsequent 0.03
releases. I cannot test with the Windows 7 x64 PC I used initially before
the 1st of September, so hopefully this is the same root cause.

Npcap 0.04 does not crash on the same machine but the loopback

interface is not listed in Wireshark (the network interface is installed
though).


Cheers,
Pascal.




___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe






___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: