Nmap Development mailing list archives
Re: npcap horror story
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Sun, 31 Jul 2016 17:14:15 +0800
Hi Mike, I think this is a very rare issue because no one can reproduce it now. Personally I think the reason is that you installed some incompatible softwares. A stock Windows OS won't behave like this. So my suggestion is that you prepare a stock OS, then install your softwares one by one, to see which software causes this issue. Another way is that providing a remote access to me, so I can log on to see what happens. Cheers, Yang On Sat, Jul 30, 2016 at 1:34 AM, Rob Nicholls <robert () robnicholls co uk> wrote:
Hi Mike, Based on experience, Windows will display “Identifying” for a few seconds when a network adaptor thinks the connection is up (e.g. network cable is plugged in). I don’t think it should last more than a few seconds if everything’s working correctly. I’ve not really looked into it, but I suspect when it says “Identifying” it may be trying to negotiate the speed of the link, then sending DHCP requests to get an IPv4 address and details of the router (and potentially DNS servers), as well as similar requests for IPv6, such as listening for Router Advertisement responses to its Router Solicitation requests or DHCPv6 responses. If you’re not using DHCP on an interface and you’ve set a static IP instead, I believe it also sends ARP requests for the IP before allowing Windows to use that “preferred” IP itself, in order to avoid IP conflicts. If you’re on a new network (e.g. it’s the first time Windows has seen that MAC address for the IP address of the router) you’ll usually be asked which type of network you’re on (unless you’ve already ticked the box to say treat all future networks as Public). I’m guessing you never see that and it’s stuck on “Identifying”. I get the impression that only generally happens when there’s a bad switch or cable, but I’m not sure why you’re seeing it with the virtual adaptor. I did stumble upon a forum post that suggests the Bonjour service that comes with software such as iTunes can cause this problem. If you have the Bonjour service listed in services.msc it might be worth temporarily disabling it (and possibly restarting your computer). I’ve also seen a suggestion that the security update KB2862330 can also cause the issue you’re seeing, although I wouldn’t generally recommend uninstalling security updates! I doubt either of these are the cause, but you’re welcome to try them. As for the Npcap installation options, as I’ve possibly mentioned before I’ve always gone with the default settings, with just the second checkbox (support loopback traffic) selected. I’ve left all the others blank. It appears that the Npcap installer also tells you when WinPcap is already installed and explicitly states that installing Npcap will uninstall WinPcap first when installing Npcap in WinPcap API-compatible mode. Rob *From:* Mike . [mailto:dmciscobgp () hotmail com] *Sent:* 28 July 2016 22:06 *To:* Rob Nicholls <robert () robnicholls co uk> *Subject:* Re: npcap horror story thank you so much for the lengthy feedback [image: 😊] seriously, not trying to be a pain w/ this, but i never knew i would run into these issues. so i will try one more time to reinstall npcap. now, please explain something. last time i ran the installer, i checked only the first option. am i also supposed to select that "API winpcap" thing at the botom as well? and no on the key. there is a STRING that says that, but not a key/folder Mike *and again i ask what does "identifying"........ mean!!!?????????? ------------------------------ *From:* Rob Nicholls <robert () robnicholls co uk> *Sent:* Thursday, July 28, 2016 8:00 PM *To:* 'Mike .'; '食肉大灰兔V5' *Cc:* 'nmap-group' *Subject:* RE: npcap horror story Hi Mike, Yang, I appreciate this may not be particularly helpful, but I’ve yet to encounter any issues on Windows 7 using Npcap. I did briefly have similar issues with lo0 on a Windows 8 VM, but this was resolved after restarting Windows and reinstalling Npcap. I haven’t had any issues on any other Windows system, both native installs and virtual machines, while using the default installation settings. The most exotic setup I’ve used so far has been a laptop running a fully patched Windows 7 Pro x64 with Intel wired and wireless adapters, a VirtualBox Host-Only Network virtual adapter, and a Check Point Virtual Network Adapter (used by SecuRemote). The Intel Ethernet adapter was even configured with a dozen virtual interfaces as I’d configured multiple VLANs. Most of the scans were performed with only about 4 adapters enabled. The host also had commercial anti-virus software installed. I’ve run multiple scans, against 1 host through to scanning 40 hosts, performing default and full TCP and UDP scans. I’ve also run scans against 127.0.0.1. The host also had WinPcap installed, and Wireshark still worked fine. Npcap with NMAP 7.25BETA1 has worked fine for me all week. I’ve also built a Windows 7 Enterprise x86 VM (no Service Pack, no patches), installed Nmap and Npcap, and run a few scans. Again, I’ve not experienced any issues (other than Zenmap doesn’t show its icon in the shortcut for some reason). After installing Nmap and Npcap I opened up the Command Prompt and ran “nmap 127.0.0.1 -vv -A” and got back expected results after 95 seconds. An almost identical scan against one of my own servers on the Internet gave expected results after 66 seconds. The Npcap local loopback interface on both Windows 7 systems showed a 10.0Mbps connection (with an autoconfig IP). I do see the LoopbackAdapter registry keys (with valid values). If you don’t have the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\LoopbackAdapter then something is presumably going wrong during the installation of Npcap (especially as it looks like it copies the key from Software\Npcap to the Services\npcap key). Yang, from skim reading the Npcap NSIS file, it looks like the first key is created by either NPFInstall.exe or NPFInstall2.exe, which are called a few times using ExecWait. I don’t see any checks after the file’s executed, other than whether the ExecWait of the executable returns “0”. The installer itself doesn’t seem to do much error checking at times. Is it possible to check within the installer, or perhaps in the NSIS script, that all of the actions have been performed at each step, and produce any detailed error messages if something has gone wrong during the installation? I mostly see a series of Extract and Execute lines interspersed with a few lines such as “Writing service options to registry”, but presumably we don’t check a valid registry value is present otherwise Mike would have seen an error during installation if his registry keys are missing. If I could replicate Mike’s original issues I’d be happy to help Yang debug the problem, but at the moment it looks like something specific to Mike’s particular system. Mike, I see a similar “Error in OpenService” message twice if I run Nmap 7.25BETA1 after deleting the npcap service on my clean Windows 7 test VM. If I subsequently install WinPcap I only get the error message once. I presume the error occurs once checking for the npcap service and a second time looking for WinPcap (the npf service). It sounds like you may have uninstalled or deleted Npcap and left WinPcap installed if you only get it once. It might make sense for someone to modify Nmap to only show that error if both npcap and npf are missing, or perhaps relegate it all to debug output? Otherwise anyone sticking with WinPcap will always see the error when Nmap checks for npcap. Rob *From:* dev [mailto:dev-bounces () nmap org <dev-bounces () nmap org>] *On Behalf Of *Mike . *Sent:* 28 July 2016 19:04 *To:* nmap-group <dev () nmap org> *Subject:* npcap horror story i call it a horror story because of all that i have had to go through in geting it to work, which it never did. so i deleted both adapters, rebooted and now nmap tells me this when i try and scan Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-28 12:57 Central Dayligh Nmap: the Network Mapper - Free Security Scanner <https://nmap.org/> nmap.org Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool. Download open source software for Linux, Windows, UNIX, FreeBSD, etc. t Time Error in OpenService would be nice if it told me what service it was trying to open. anyway, done with npcap and the hoop jumping required to get it to work. i can live without scanning loopback. it's not the end of the world. my only ? is this...did anyone ever test this on win7? Mike _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- npcap horror story Mike . (Jul 28)
- RE: npcap horror story Rob Nicholls (Jul 28)
- Re: npcap horror story nnposter (Jul 28)
- Message not available
- RE: npcap horror story Rob Nicholls (Jul 29)
- Re: npcap horror story 食肉大灰兔V5 (Jul 31)
- RE: npcap horror story Rob Nicholls (Jul 28)