Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Npcap 0.01 call for test about Windows loopback traffic capture feature

From: Tyson Key <tyson.key () gmail com>
Date: Thu, 16 Jul 2015 11:10:49 +0100
Hi Yang,

Come to think of it, I got exactly the same BSoD error as Jim (
BAD_POOL_CALLER).

However, my configuration is different (I have a bunch of VMware
interfaces, and an Atheros AR9485WB-EG WLAN adaptor, which is also
semi-supported by Acrylic Wi-Fi - but BSoDs for a different reason (seems
to be related to NDIS drivers, with that)), and multiple loopback adaptors
were created on my machine (named "Microsoft KM-TEST Loopback Adaptor",
instead of "NPCap Loopback", if memory serves correctly).

Bizarrely, even after uninstalling NPCap, and replacing it with WinPCap,
these KM-TEST adaptors still persist across reboots:
[image: 埋め込み画像 1]

I assume that these are a side-effect of manually installing the .ini file,
after attempting to run the set-up tool ("npfinstall -r", "npfinstall -li",
and then "npfinstall -i") via a batch script with Administrator privileges.

I also found that although I could see packets containing a MAC address
with the mnemonic "LOOP", I could not capture any ICMP traffic, when trying
to ping 127.0.0.1, or ::1 (using both Microsoft Network Monitor, and
Wireshark - the latter of which would not detect any interfaces, after
reinstalling NPCap a few times, before eventually replacing it with
WinPCap, until I rebooted).

If I get time, I'm going to see if I can reproduce the BSoD, and try
writing down the steps involved.

Tyson.

2015-07-16 10:56 GMT+01:00 Yang Luo <hsluoyb () gmail com>:


Hi Tyson,

Thanks for testing Npcap and I already knew what to do about the service
not start issue. It would be better if you can provide the BSOD issue
reproduce steps because I never encountered this. I also encountered the
connection loss problem sometimes, but it happens in a random way and I
still don't know how to reproduce it.

Cheers,
Yang


On Wed, Jul 15, 2015 at 7:03 PM, Tyson Key <tyson.key () gmail com> wrote:


Hi Yang,

Thank you for looking into implementing this. Sadly, I tried your package
on my Win8.1 x86-64 machine, and found that not only did the new NPF
service not start after uninstalling "real" WinPCap (running the
installation tool manually, with the -il, and -i options didn't seem to do
anything, until rebooting), and then your new NPCap in "compatibility
mode", I had problems connecting to my WLAN, after rebooting (and I also
received a BSOD, at one stage whilst trying to capture on multiple
interfaces).

Unfortunately, I don't know if I can reproduce these issues, or provide
any logging information, this time - but if I get chance, I'll have another
look.

Take care,

Tyson.

2015-07-11 10:15 GMT+01:00 Yang Luo <hsluoyb () gmail com>:


Hi list,

In order not to diverge with WinPcap interfaces, I have made a "WinPcap
Mode" for Npcap, it uses the same system32 directory to put DLLs and has
the same "npf" service and driver name. So it can be directly used in
Wireshark without any patch.

Another news is that I have finished Windows loopback packet capture
feature in Npcap, Npcap will install an adapter named "Npcap Loopback
Adapter". And I can see the loopback traffic using Wireshark now (See the
attached pic). It seems to still have problems, like the "(no response
found!)" in the ICMPv6 packets (ping ::1) in the pic. I don't know why
Wireshark shows like this, perhaps you guys can provide me a clue.

The latest Npcap installer is:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.01.exe

I have tested this version Npcap under Wireshark 1.12.6 x64, in Windows
8.1 x64 and Windows Server 2016 TP2.

Notice: You need to try it under Win7 and later, and no need to change
the installation options, just click the "Next"s. Npcap installed in
"WinPcap Mode" is exclusive with WinPcap, so you must uninstall WinPcap
first (installer will prompt you this).

The README is:
https://github.com/nmap/npcap

The implementation internal about loopback traffic feature is:
http://seclists.org/nmap-dev/2015/q3/35


Cheers,
Yang


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe





--
                                          Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe





-- 
                                          Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: