Wireshark mailing list archives

Re: Npcap 0.01 call for test (2nd)

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Thu, 23 Jul 2015 10:18:53 +0200

2015-07-22 21:39 GMT+02:00 Pascal Quantin <pascal.quantin () gmail com>:



2015-07-22 18:25 GMT+02:00 Yang Luo <hsluoyb () gmail com>:

Hi Pascal,

On Wed, Jul 22, 2015 at 11:33 PM, Pascal Quantin <
pascal.quantin () gmail com> wrote:


I just gave a try to this new installer:
- still my rename issue of the loop back installer (as expected ;)). Is
there some debug log / test I could do on my side? I will double check if
the rename works fine on a French Win 7.

I think I perhaps know why this doesn't work on your French Win10. It can
be language related. Because the Win10 renaming way uses string parsing
again. This is the mechanism:
1) First Npcap runs "netsh.exe interface show interface" to get all
interfaces before install "Npcap Loopback Adapter", you will get something
like below in English language (but I don't know if my code adapts to
French, this is the key point).
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet

Npcap will parse this output to get all interface names, the method is
first going to the third line, then find the line feed char '\n', if '\n'
found, then reverse-find the two continuous space char "  ". Then we can
get a name like "VMware Network Adapter VMnet1", the same for other names.
Save them to a vector<string>.

2) After "Npcap Loopback Adapter" installed, Npcap will run "netsh.exe
interface show interface" again, to get the updated interface list, like
below:
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet
Enabled        Connected      Dedicated        Ethernet 2

We can get another vector<string> from above output, compare these two
vectors, find the new name, which is "Ethernet 2".

3) Then Npcap will rename this new adapter using "netsh.exe interface set
interface name=\"%s\" newname=\"%s\", the first %s is previous "Ethernet
2", and the second %s is "Npcap Loopback Adapter".

So I think this way possibly fail in a different language system than
English, because the output of "netsh.exe interface show interface" can be
language specific. You can try these commands manually to see whether this
method works.


Indeed the command output is localized. Before installing Npcap, I have:
État admin    État          Type            Nom de l'interface
-------------------------------------------------------------------------
Activé         Connecté       Dédié            Ethernet

After the installation, I have:
État admin    État          Type            Nom de l'interface
-------------------------------------------------------------------------
Activé         Connecté       Dédié            Ethernet
Activé         Connecté       Dédié            Ethernet 2

Executing manually the command netsh.exe interface set interface
name="Ethernet 2" newname="Npcap Loopback Adapter"
does work.

- driver can be started after reboot (manually or with Wireshark)

Good for this.

- for those having User Account Control activated, you need to start
Wireshark as administrator (even without restricting Npcap to admin during
installation) to have the driver started. Unfortunate... If this is the
loopback adapter that triggers the issue at startup, should its
installation be optional?

I don't know whether there are many people using Wireshark in a non-Admin
privilege? If yes, then I think the lacking boot start support needs a
solution. Making loopback code optional is kind of difficult, because its
code is deep in the driver and has tight connection with other parts.

- I finally got the opportunity to test with a MBIM WWAN device (long
due task on my side ;)). The interface is not listed unfortunately.

This is weird, because in the driver's INF file, I have specified:
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, wlan,
bluetooth, ndis5, vwifi, nolower"
It should have includes WAN interfaces. Perhaps you would like to find
out if this WAN device has appeared in registry, because Npcap or WinPcap
only sees interfaces that appears in registry, registry path is:
\\HKLM\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}.


I will try to get my hands on the PC again (gave it back to my colleague)
to verify this.


I got access to the PC. There are 2 Mobile Broadband interfaces being
listed on the PC and not seen by Npcap. You will find attached the
corrresponding registry key dumps.

Cheers,
Pascal.


Cheers,
Yang



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

Attachment: MB_module.reg
Description:

Attachment: MB_module2.reg
Description:

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: Npcap 0.01 call for test (2nd), (continued)
- - - Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 26)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Jim Young (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 24)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 23)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 23)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 24)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 24)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 26)
- Re: Npcap 0.01 call for test (2nd) Tyson Key (Jul 19)
  - Re: Npcap 0.01 call for test (2nd) Tyson Key (Jul 19)
  - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 19)
    - Re: Npcap 0.01 call for test (2nd) Jim Young (Jul 19)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 19)