Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Tyson Key <[email protected]>
Date: Sun, 19 Jul 2015 19:30:53 +0100
Sorry for the further spam, but this is an interesting (and annoying!) development...

After rebooting from the last BSOD, I tried running Wireshark, and received the usual error about the NPF server not running. However, after quitting it, I decided to try disabling the "Microsoft Network Monitor 3 Driver" (which seems to coexist with regular WinPCap, without problems), and ran "sc start npf":

C:\WINDOWS\system32>sc start npf

SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\WINDOWS\system32>

After waiting a little while, I started wireshark-gtk.exe, and discovered that the interface list was populated. However, after about 45 seconds, I received yet another BSOD:

==================================================
Dump File         : 071915-30828-01.dmp
Crash Time        : 19/07/2015 07:18:16 pm
Bug Check String  : BAD_POOL_CALLER
Bug Check Code    : 0x000000c2
Parameter 1       : 00000000`00000099
Parameter 2       : ffffe001`e8f04148
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`00000000
Caused By Driver  : tm.sys
Caused By Address : tm.sys+e29ef9
File Description  : Kernel Transaction Manager Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.3.9600.16384 (winblue_rtm.130821-1623)
Processor         : x64
Crash Address     : ntoskrnl.exe+150ca0
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\071915-30828-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 9600
Dump File Size    : 281,520
Dump File Time    : 19/07/2015 07:20:06 pm
==================================================

Would be interesting to know why the BSOD occurs in the Kernel Transaction Manager, this time...

Tyson.

 

2015-07-19 19:13 GMT+01:00 Tyson Key <[email protected]>:
...and after rebooting, and reinstalling the various components using NPFInstall, and launching Wireshark, no interfaces are detected. However, after trying "sc start npf", and waiting a while, I'm greeted with another BSOD, of the same kind as last time:

==================================================
Dump File         : 071915-35687-01.dmp
Crash Time        : 19/07/2015 07:03:01 pm
Bug Check String  : BAD_POOL_CALLER
Bug Check Code    : 0x000000c2
Parameter 1       : 00000000`00000007
Parameter 2       : 00000000`00001200
Parameter 3       : 00000000`00000003
Parameter 4       : ffffe000`99fa1008
Caused By Driver  : tcpip.sys
Caused By Address : tcpip.sys+1c2180
File Description  : TCP/IP Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.3.9600.16384 (winblue_rtm.130821-1623)
Processor         : x64
Crash Address     : ntoskrnl.exe+150ca0
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\071915-35687-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 9600
Dump File Size    : 281,520
Dump File Time    : 19/07/2015 07:04:09 pm
==================================================

Tyson.

2015-07-19 17:05 GMT+01:00 Pascal Quantin <[email protected]>:
Hi Yang,

2015-07-19 15:55 GMT+02:00 Yang Luo <[email protected]>:
Hi Jim,

Thanks for testing!

On Sun, Jul 19, 2015 at 12:25 AM, Jim Young <[email protected]> wrote:
Hello Yang,

Two comments on all for 2nd test.

1 - Should the name of the newer package reflect that this is a different Npcap package from the 1st one?  The 2nd package is named identical to the 1st one of npcap-nmap-0.01.exe.  The newly downloaded one was saved by the browser as npcap-nmap-0.01(1).exe to avoid clobbering the 1st one still in the Download folder.

 
From now on, I will use installer name such as npcap-nmap-0.01-r2.exe, which means revision 2 under version 0.01. I don't want to change version numbers, as current Npcap has many bugs and can't be released as a stable version yet.
 
2 - After uninstalling WinPcap, but not rebooting, I started installing the newest Npcap package but the new install is hung at the step:  

Execute: "C:\Program Files\Npcpa\NPFInstall.exe" -il

 
I have improved this part logic, plz test the latest installer:

This operation takes some time indeed, but should be less than 20s.

I just gave a quick test to 0.1-r2 version on my Windows 10 virtual machine.
- I uninstalled WinPcap and installed Npcap in Winpcap mode without reboot. I got the same warning as Tyson regarding the upgrade of npf.sys file, presumably because yours as version 0.1.0.710 against Winpcap that uses version 4.1.0.2980. Maybe you should advice to reboot the PC after uninstalling Winpcap.
- The loopback interface is still named 'Ethernet 2'. I run on Windows 10.0.10240 with French local in case this matters.
- After reboot, Wireshark could not see any interface. I doubled checked the driver state and saw that it was stopped. Manually starting it with 'sc npf start' command allowed Wireshark to see interfaces. After reboot the service does not start automatically.

I will try to test the WWAN capture beginning of next week.

Pascal.


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe



--
                                          Fight Internet Censorship! http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844



--
                                          Fight Internet Censorship! http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844