Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capt
From: Jim Young <[email protected]>
Date: Thu, 16 Jul 2015 06:30:28 +0000
From: Yang Luo <[email protected]>Hi list, > >In order not to diverge with WinPcap interfaces, I have made a "WinPcap >Mode" for Npcap, it uses the same system32 directory to put DLLs and has >the same "npf" service and driver name. So it can be directly used in >Wireshark without any patch. Hello Yang, I've been testing Npcap 0.01 on a Windows 8.1 Enterprise workstation. The workstation is not connected to Active Directory. I have only attempted to use Npcap in WinPcap Mode. As expected when I first attempted the install, Npcap detected that WinPcap was already installed. I canceled the Npcap install, uninstalled WinPcap 4.1.3 and then successfully installed Npcap using the WinPcap Mode option. The Windows Device Manager showed the "Npcap Loopback Adapter" in the list of Network Adapters. I started up a development version of Wireshark, selected the Ncpap loopback adapter and from a cmd shell started pinging 127.0.0.1. The ping requests and replies to the loopback interface were seen and captured using the Npcap loopback interface. I used MS ping's -l option to send minimum (-l 0) and maximum (-l 65500) sized ping requests to see what the Npcap interface would capture. When pinging the ipv4 loopback address of 127.0.0.1 the packets were 42 (min) and 65542 (max) bytes respectively. Pinging the ipv6 loopback address of ::0 the min and max sized packets were 62 and 65552 bytes respectively. I opted to leave Wireshark up capturing on the loopback interface for several hours. In these captures I occasionally saw that TCP sessions were successfully setup and then torn down via a RST packet usually about 19 seconds later. The TCP RST packets were sent with Sequence numbers of 4-8 to Sequence numbers like 98 implying that perhaps some data packet was sent but not captured. When I later attempted to install a new version of Wireshark, Wireshark's installer assumed there was no WinPcap installed; Wireshark's install process can not detect that Npcap has been installed in WinPcap mode. In this case I opted skip the install of WinPcap but allowed the newer Wireshark to install. I opted to leave the Qt based Wireshark now using Npcap in WinPcap mode up and running overnight at the Welcome screen. The following morning I noticed that the Cisco AnyConnect VPN Client installed on this workstation had failed. This was a new behavior. I rebooted the workstation to see if it would resolve the Cisco AnyConnect issue. But shortly after the system had rebooted the AnyConnect would again fail. I opted to uninstall Npcap 0.01 and rebooted the system. Once Npcap was removed and the system no longer reported and any problems for the Cisco AnyConnect Client. I then opted to re-install Npcap 0.01 to see if the AnyConnect problem would reappear. But this time the installation failed with the message "Failed to create the npcap service for Win7 and Win8. Please try installing Npcap again, or use the official Npcap installer from www.nmap.org". I retried the Npcap installation which appeared to be successful. But after starting Wireshark I had the message "No interfaces found". I uninstalled Npcap and reinstalled WinPcap. I could now see interfaces. I then uninstalled WinPcap. Wireshark reported "No interface found" (I expected Wireshark to report that WinPcap was not installed). I then opted to reinstall Npcap yet again. This time the Npcap installation failed spectacularly with a message of BAD_POOL_CALLER and Windows subsequently crashed and rebooted. After the system was up I attempted to load Wireshark but was presented with an error dialog with the title "Wireshark.exe - Bad Image". Here was the message text. > C:\Windows\system32\wpcap.dll is either not designed to run on Windows >or it contains an error. Try installing the program again using the >original installation media or contact your system administrator or the >software vendor for support. Error status 0xc00012f. This error was followed by the same dialog but for for packet.dll, and then a similar pair of messages except this time it was dumpcap.exe that was listed in the dialog's title. Wireshark subsequently display a message in the interface section of the Welcome screen that said: "Unable to load WinPcap (wpcap.dll); you will not be able to capture packets. Š" I opted to try the Npcap installation yet again. This time the "Npcap 0.01 for Nmap (beta) Setup" dialog displayed the message "Npcap version 0.1.0.710 exists on this system. Replace with version 0.01?" I clicked [Yes]. But On the Security and API Options page the "Install Npcap in Winpcap AP compatible mode" was disabled. Since I could not install Npcap in WinPcap mode I choose to abort [Cancel] this install. I then tried to re-install WinPcap. The WinPcap 4.1.3 Setup displayed the message "A previous version of WinPcap has been detected on this system. Unfortunately, this installer is not able to remove it. Do you want to continue with the installation?" I choose [Yes] and WinPcap was successfully installed. After several Wireshark tests I removed WinPcap and attempted yet another install Npcap. This time I was presented with the message: > Npcap 0.1.710 exists on this system. Replace with version 0.01?" I choose [Yes]. This time I could choose the Install Npcap in WinPcap API-compatiable mode option. The Npcap loopback was again available to use. Similar to my previous tests, a few hours after installing Npcap in WinPcap mode I was presented with a Cisco AnyConnect Client error. For the time being I have uninstalled Npcap 0.01 and reinstalled WinPcap 4.1.3. But I look forward to testing future versions of Npcap. I hope you find this info useful. Best regards, Jim Y.
- Prev by Date: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capture feature
- Next by Date: [Wireshark-dev] PcapNG format support for dumpcap
- Previous by thread: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capture feature
- Next by thread: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capture feature