Wireshark mailing list archives
Re: Npcap 0.01 call for test (2nd)
From: Yang Luo <hsluoyb () gmail com>
Date: Fri, 24 Jul 2015 21:12:11 +0800
Hi Jim, Thanks for this detailed test and I have fixed some of the problems. Latest installer is: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.02-r3.exe See more feedbacks below: On Thu, Jul 23, 2015 at 1:06 PM, Jim Young <jyoung () gsu edu> wrote:
Hello Yang, From: Yang Luo <hsluoyb () gmail com>, Date: Wednesday, July 22, 2015 11:12 PMI tested it against Win10 10240 x64 (French and Chinese), try installer at: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.02-r2.exeI've continued to test the various Npcap versions in WinPcap API mode on Windows 8.1 system. Here are some observations. 1 - I can not uninstall and then install Npcap successfully without rebooting the system between the Uninstall and Install. If I attempt the install without the reboot then the NPFInstall.exe -i1 step will stall and I am forced to reboot the system. After rebooting I can see that the various Npcap components like npf.sys, packet.dll, wocap.dll will have been placed in the expected locations, but the newly created loop back interface will not have the expected Npcap name. To clean this up I manually Uninstall the orphaned loop back adapter and then rerun the Npcap installer which will detect the files from the previous install attempt which launch the Npcap uninstaller. After the uninstaller finishes I [Cancel] the Npcap Install and reboot the system. Upon reboot I can successfully re-install Npcap.
This is so weird that NPFInstall.exe -il will stall, I encountered this before sometimes several days before, but I can't see it these days. I don't know if you can reproduce it stably and tell me the steps.
I've been using the following set of commands in a cmd shell to get a quick look-see at the state of the Npcap install and uninstall: netsh.exe interface show interface sc queryex npf dir /s \npf.sys dir /s \packet.dll dir /s \wpcap.dll Interestingly when Npcap fails to install (because I didn't reboot after the last Uninstall), the orphaned "Microsoft KM-TEST Loopback Adapter" will NOT be listed in the netsh insterface show interface report. I see this in the Device Manager's Network Adapters list.
This is also so weird. maybe caused by the the problem above.
2 - If I attempts to uninstall Npcap while npf is in use (Wireshark is running), the system will crash with the message: PAGE_FAULT_IN_NONPAGED_AREA or PAGE_FAULT_IN_NOT_PAGED_AREA(npf.sys). If I do not have Wireshark running, then the uninstall will complete successfully (but I still need to reboot to reinstall Npcap successfully). Interestingly is one tries to stop npf while Wireshark is running, (from an admin level cmd shell enter: sc stop npf), sc will report the stop request as "pending". Once Wireshark is shutdown the npf service will stop. Should the uninstaller detect that the npf service could not shutdown and abort the uninstall attempt?
This is a big issue, and I have fixed it in the latest release. First BSoD is fixed, then I forbid the uninstallation in the installer if Npcap is still in use.
3 - TCP packets captured on the loopback interface do not have payloads. With long running traces I see various occasional traffic on the LoopBack interface. It looks like only the TCP packets does not show payload packets. Interestingly when the Firefox browser is running I see various short lived TCP sessions on the loopback using adjacent port numbers (for example SYN src=49225, dstport=49224).
I have reproduced it, I will look into this.
4 - With the recent Npcap versions I had not had seen any more issues with the Cisco AnyConnect VPN client. I had left some of these later Npcap versions running for hours with Wireshark sniffing on the loopback and sometimes other adapters. But immediately after I first installed Npcap 0.02.r2 the Cisco VPN client failed. I've uninstalled, rebooted and reinstalled Npcap 0.02.r2 a few times and each time I have had the Cisco AnyConnect VPN fail (sooner or later).
What technique is Cisco AnyConnect VPN client based on? PPTP or L2TP or IPSec? I googled it but I didn't find a link to download it. Also I don't know if I need to buy for an account, is there a way that I could try it?
5 - The Npf installer (or uninstaller) is leaving what I assume are obsolete folders (and files in those folders) in subfolders of C:\Windows\System32\DriverStore\FileRepository. These subfolders have names that begin with "npf.inf_amd64_" followed by 16 hexidecimal characters. Should these be deleted as part of the install or uninstall process?
This is expected, and not a part for Npcap to uninstall.
6 - After the initial install of Npcap 0.02.r1, the npf service is immediately started, but upon a reboot the npf service is stopped and must be manually started. (from a admin cmd shell: netsh start npf). Running Wireshark (as a normal user) does not automatically start the npf service. I have not attempted to start Wireshark in an admin level cmd shell.
I am looking into it, I think there is a need to automatically start the npf service instead of the current way. It is related to WFP callout and still needs time to be solved.
Best regards, Jim Y. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Npcap 0.01 call for test (2nd), (continued)
- Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 22)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 22)
- Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 25)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 25)
- Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 25)
- Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 26)
- Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 22)
- Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 22)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 22)
- Re: Npcap 0.01 call for test (2nd) Jim Young (Jul 22)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 24)
- Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 23)
- Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 23)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 24)
- Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 24)
- Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 25)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 26)
- Re: Npcap 0.01 call for test (2nd) Tyson Key (Jul 19)
- Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 19)
- Re: Npcap 0.01 call for test (2nd) Jim Young (Jul 19)