Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Npcap 0.01 call for test (2nd)

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Fri, 24 Jul 2015 19:56:30 +0200
2015-07-24 15:14 GMT+02:00 Yang Luo <hsluoyb () gmail com>:


Hi Parscal,

I think I have added the "flpp4" and "flpp6" to Npcap, but I don't know if
this works, you could try latest installer:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.02-r3.exe



Hi Yang,

I can see the interface listed now. I will not be able to try capturing
traffic before next Thursday unfortunately as I'm traveling.

Regards,
Pascal.




On Thu, Jul 23, 2015 at 4:18 PM, Pascal Quantin <pascal.quantin () gmail com>
wrote:




2015-07-22 21:39 GMT+02:00 Pascal Quantin <pascal.quantin () gmail com>:




2015-07-22 18:25 GMT+02:00 Yang Luo <hsluoyb () gmail com>:


Hi Pascal,

On Wed, Jul 22, 2015 at 11:33 PM, Pascal Quantin <
pascal.quantin () gmail com> wrote:



I just gave a try to this new installer:
- still my rename issue of the loop back installer (as expected ;)).
Is there some debug log / test I could do on my side? I will double check
if the rename works fine on a French Win 7.


I think I perhaps know why this doesn't work on your French Win10. It
can be language related. Because the Win10 renaming way uses string parsing
again. This is the mechanism:
1) First Npcap runs "netsh.exe interface show interface" to get all
interfaces before install "Npcap Loopback Adapter", you will get something
like below in English language (but I don't know if my code adapts to
French, this is the key point).
Admin State    State          Type             Interface Name

-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet

Npcap will parse this output to get all interface names, the method is
first going to the third line, then find the line feed char '\n', if '\n'
found, then reverse-find the two continuous space char "  ". Then we can
get a name like "VMware Network Adapter VMnet1", the same for other names.
Save them to a vector<string>.

2) After "Npcap Loopback Adapter" installed, Npcap will run "netsh.exe
interface show interface" again, to get the updated interface list, like
below:
Admin State    State          Type             Interface Name

-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter
VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet
Enabled        Connected      Dedicated        Ethernet 2

We can get another vector<string> from above output, compare these two
vectors, find the new name, which is "Ethernet 2".

3) Then Npcap will rename this new adapter using "netsh.exe interface
set interface name=\"%s\" newname=\"%s\", the first %s is previous
"Ethernet 2", and the second %s is "Npcap Loopback Adapter".

So I think this way possibly fail in a different language system than
English, because the output of "netsh.exe interface show interface" can be
language specific. You can try these commands manually to see whether this
method works.



Indeed the command output is localized. Before installing Npcap, I have:
État admin    État          Type            Nom de l'interface
-------------------------------------------------------------------------
Activé         Connecté       Dédié            Ethernet

After the installation, I have:
État admin    État          Type            Nom de l'interface
-------------------------------------------------------------------------
Activé         Connecté       Dédié            Ethernet
Activé         Connecté       Dédié            Ethernet 2

Executing manually the command netsh.exe interface set interface
name="Ethernet 2" newname="Npcap Loopback Adapter"
does work.



- driver can be started after reboot (manually or with Wireshark)



Good for this.



- for those having User Account Control activated, you need to start
Wireshark as administrator (even without restricting Npcap to admin during
installation) to have the driver started. Unfortunate... If this is the
loopback adapter that triggers the issue at startup, should its
installation be optional?


I don't know whether there are many people using Wireshark in a
non-Admin privilege? If yes, then I think the lacking boot start support
needs a solution. Making loopback code optional is kind of difficult,
because its code is deep in the driver and has tight connection with other
parts.



- I finally got the opportunity to test with a MBIM WWAN device (long
due task on my side ;)). The interface is not listed unfortunately.


This is weird, because in the driver's INF file, I have specified:
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, wlan,
bluetooth, ndis5, vwifi, nolower"
It should have includes WAN interfaces. Perhaps you would like to find
out if this WAN device has appeared in registry, because Npcap or WinPcap
only sees interfaces that appears in registry, registry path is:
\\HKLM\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}.



I will try to get my hands on the PC again (gave it back to my
colleague) to verify this.




I got access to the PC. There are 2 Mobile Broadband interfaces being
listed on the PC and not seen by Npcap. You will find attached the
corrresponding registry key dumps.

Cheers,
Pascal.




Cheers,
Yang



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe







___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: