Re: Npcap 0.01 call for test about Windows loopback traffic capture feature

[Tyson Key <tyson.key () gmail com>]

Hi Yang,

Sorry for the late reply about the BSOD issue (especially in this thread),
but here is my debugging information, from BlueScreenView;

==================================================
Dump File         : 071115-33031-01.dmp
Crash Time        : 11/07/2015 08:56:46 pm
Bug Check String  : BAD_POOL_CALLER
Bug Check Code    : 0x000000c2
Parameter 1       : 00000000`00000007
Parameter 2       : 00000000`00001200
Parameter 3       : 00000000`0c000000
Parameter 4       : ffffe001`f29be558
Caused By Driver  : tcpip.sys
Caused By Address : tcpip.sys+1c2180
File Description  : TCP/IP Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.3.9600.16384 (winblue_rtm.130821-1623)
Processor         : x64
Crash Address     : ntoskrnl.exe+150ca0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\071115-33031-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 9600
Dump File Size    : 281,456
Dump File Time    : 11/07/2015 08:57:50 pm
==================================================

I don't know if they're related to NPCap, or WinPCap (since BSV seems to
load the current executable/DLL images from disk, to resolve the vendor
names; and the nature of npf.sys is that it's always RAM-resident, and
loaded into the TCP/IP stack), but I also have MiniDumps with
SYSTEM_SERVICE_EXCEPTION, and SYSTEM_THREAD_EXCEPTION_NOT_HANDLED errors.

Tyson.

2015-07-17 1:57 GMT+01:00 Yang Luo <hsluoyb () gmail com>:

> Hi Tyson,
>
> On Thu, Jul 16, 2015 at 6:10 PM, Tyson Key <tyson.key () gmail com> wrote:
>
> > Hi Yang,
> >
> > Come to think of it, I got exactly the same BSoD error as Jim (
> > BAD_POOL_CALLER).
>
> About this BAD_POOL_CALLER BSOD, I think there may be some bugs in
> allocating pool memory. I have found this in MS:
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff560185(v=vs.85).aspx.
> It needs the four parameters in your BSOD screen to check the detailed
> crash reason. It's good if you can provide it:)
>
> > However, my configuration is different (I have a bunch of VMware
> > interfaces, and an Atheros AR9485WB-EG WLAN adaptor, which is also
> > semi-supported by Acrylic Wi-Fi - but BSoDs for a different reason (seems
> > to be related to NDIS drivers, with that)), and multiple loopback adaptors
> > were created on my machine (named "Microsoft KM-TEST Loopback Adaptor",
> > instead of "NPCap Loopback", if memory serves correctly).
>
> If you run "NPFInstall.exe -il" one time, Npcap will install one adapter
> for you. This is why you have so many loopback adapters. You should run
> "NPFInstall.exe -ul" to uninstall the lastest loopback adapter.
> And it seems that Npcap's renaming adapter to "Npcap Loopback Adapter"
> code doesn't work on Win10 and with no obvious reason. I have reported this
> to Microsoft to see if there's a solution.
>
>
> > Bizarrely, even after uninstalling NPCap, and replacing it with WinPCap,
> > these KM-TEST adaptors still persist across reboots:
> > [image: 埋め込み画像 1]
> >
> > I assume that these are a side-effect of manually installing the .ini
> > file, after attempting to run the set-up tool ("npfinstall -r", "npfinstall
> > -li", and then "npfinstall -i") via a batch script with Administrator
> > privileges.
> >
> > I also found that although I could see packets containing a MAC address
> > with the mnemonic "LOOP", I could not capture any ICMP traffic, when trying
> > to ping 127.0.0.1, or ::1 (using both Microsoft Network Monitor, and
> > Wireshark - the latter of which would not detect any interfaces, after
> > reinstalling NPCap a few times, before eventually replacing it with
> > WinPCap, until I rebooted).
>
> If you have installed multiple loopback adapters using  "NPFInstall.exe
> -il", Npcap will view only the last one as the real "Npcap Loopback
> Adapter", so in your picture, it is only "Ethernet 4" that can be
> recognized by Npcap as loopback adapter. In this adapter, you should be
> able to see the loopback traffic.
>
> > If I get time, I'm going to see if I can reproduce the BSoD, and try
> > writing down the steps involved.
> >
> > If you found another BSOD, perhaps you can take a picture of it, so I can
> get enough details about the causes and parameters about it.
>
>
> > Tyson.
> Cheers,
> Yang
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe



-- 
                                          Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe